#7495: notebook: get rid of all possible "internal server errors" when doing
"Data
--> Upload or attach file"
------------------------+---------------------------------------------------
Reporter: was | Owner: boothby
Type: defect | Status: new
Priority: critical | Milestone: sage-4.3
Component: notebook | Keywords:
Work_issues: | Author:
Reviewer: | Merged:
------------------------+---------------------------------------------------
Uploading or attaching an empty file or a file that doesn't exist, etc.
can cause internal server errors instead of a proper error message.
Moreover, notice these lines in twist.py:
{{{
class Worksheet_do_upload_data
...
dest = os.path.join(self.worksheet.data_directory(), name)
if os.path.exists(dest):
os.unlink(dest)
}}}
With a properly crafted URL I bet name could contain .. and hence one
could make the notebook *server* delete any file it has access to! This
is a critical security vulnerability.
See also #3849 for similar issues when uploading a worksheet.
--
Ticket URL: <http://trac.sagemath.org/sage_trac/ticket/7495>
Sage <http://www.sagemath.org>
Sage: Creating a Viable Open Source Alternative to Magma, Maple, Mathematica,
and MATLAB
--
You received this message because you are subscribed to the Google Groups
"sage-trac" group.
To post to this group, send email to [email protected].
For more options, visit this group at
http://groups.google.com/group/sage-trac?hl=.
