Hi, I noticed another colubrid issue today.
I had originally written up my own static file handler, since I needed to perform a path search (i.e. look for a file in this directory, if not found, try this other, if not there, then return 404). I started looking at whether I could eliminate some of my own code by using colubrid.server.StaticExports (and rationalizing my URLs so these resources could be resolved from independent paths). I ended up deciding not to do this now because I noticed that the colubrid.server.StaticExports middleware doesn't do anything to protect from directory traversal. So with enough '../' in the URL, a client can successfully fetch any readable file on the filesystem. This is a pretty risky situation; it should be fixed, and in the meantime the documentation should be updated to warn people to use it with caution. Vineet --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "pocoo-libs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/pocoo-libs?hl=en -~----------~----~----~----~------~----~------~--~---
