Status: NeedInfo

Comment #1 on issue 3052 by chip...@gmail.com: security vulnerability: python injection

Thanks for reporting this.

I'm not able to reproduce it. I set up an environment with 1.7.11 and tried the repro case you provided. I haven't been able to cause this.

Looking at your log output, the 404 result you provided shows a result from Django. The Django 404 happens because the URLs registered don't allow parens, so we never get to a point where we reach any API handler for "quit()" that can throw an API version of a 404, instead throwing only a standard Django 404.

So all that looks correct. Well, "correct." We should probably have some generic thing on /api/* that throws a 404 if nothing else matches.

Now, you end up with an Operation Timed Out. That's very strange. What happens when connecting from a web browser?

Also, what version of RBTools are you using?

Does that query for get_review_requests work before doing the get_user('quit()') ?

You received this message because this project is configured to send all issue notifications to this address.
You may adjust your notification preferences at:

You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at http://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to