On Sun, Nov 12, 2006 at 01:41:43PM +0100, Jonas Borgström wrote: > I'm not sure we can trust the content-type. I took a quick look at the > FieldStorage code (in cgi.py) and it looks like would be possible for an > attacker to circumvent this by: > > 1. Doing a POST request without any content-type at all. > 2. Setting content-type to "multipart/whatever" > (There might be other ways since the code is a little bit difficult to > follow.) > > So if we're going down this road we really need to audit the > FieldStorage class to make sure there is no way to get around it. > Even better (safer) would be to go with Shun-ichi Goto's original > suggestion and only disable the token validation for known safe content > types such as text/xml. > > Another option would be to add a way for plugins to disable this check > on a per request basis. But I have no idea on how this would best be > implemented.
As this issue was fixed (confirmed?) in r4243 and the other major PITA #3996 was fixed in r4207, any ETA on 0.10.2? There are many people coming into the IRC channel asking about this. Noah is swamped :) -- Evolution: Taking care of those too stupid to take care of themselves. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Development" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/trac-dev?hl=en -~----------~----~----~----~------~----~------~--~---
