Updates:
Status: NeedInfo
Comment #1 on issue 3052 by [email protected]: security vulnerability:
python injection
http://code.google.com/p/reviewboard/issues/detail?id=3052
Thanks for reporting this.
I'm not able to reproduce it. I set up an environment with 1.7.11 and tried
the repro case you provided. I haven't been able to cause this.
Looking at your log output, the 404 result you provided shows a result from
Django. The Django 404 happens because the URLs registered don't allow
parens, so we never get to a point where we reach any API handler
for "quit()" that can throw an API version of a 404, instead throwing only
a standard Django 404.
So all that looks correct. Well, "correct." We should probably have some
generic thing on /api/* that throws a 404 if nothing else matches.
Now, you end up with an Operation Timed Out. That's very strange. What
happens when connecting from a web browser?
Also, what version of RBTools are you using?
Does that query for get_review_requests work before doing the
get_user('quit()') ?
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/groups/opt_out.
