Regarding backwards compatibility between CherryPy 2.2.1 and 2.3.0 -
we discovered one trivial change that has to be made if using
uploadfilter.py. We use the uploadfilter for video and user-picture
uploads, originally it came from:
http://www.cherrypy.org/attachment/ticket/546/uploadfilter.py
Line 213 had to be changed, initially it was (works with CherryPy
2.2.1):
cherrypy.request.rfile = cherrypy.request.rfile.rfile
and for CherryPy 2.3.0 it has to be:
cherrypy.request.rfile = cherrypy.request.rfile
It is a trivial one-line change but there aren't many docs on the
2.2.x to 2.3 changes for rfiles/requests for CherryPy and these things
can be a pain to debug. Aside from this we experienced no problems
with the upgrade (Mark - thanks for the detailed easy_install up/
downgrade notes - very useful).
For reference, here's the modified block of code:
if upload_maxsize:
upload_maxsize *= 1024
cherrypy.thread_data.upload_maxsize = upload_maxsize
size = float(cherrypy.request.headers['Content-
length'])
if size > upload_maxsize:
raise Upload_MaxSizeError
#cherrypy.request.rfile = cherrypy.request.rfile.rfile
# cherrpy 2.2.1
cherrypy.request.rfile = cherrypy.request.rfile #
cherrypy 2.3.0
Cheers,
Ian. (at showmedo dot com)
On Jan 14, 11:28 pm, "Mark Ramm" <[EMAIL PROTECTED]> wrote:
> TurboGears users who have explicitly added CherryPy based sessions to
> their application are subject to an important security vulnerability.
>
> Malicious users could create a specially crafted cookie that could
> delete files begining with your SESSION_PREFIX from your file system,
> add new files with that prefix, or overwrite files with the same
> prefix with arbitrary pickled python objects.
>
> All such users can re-secure their system by updating to CherryPy 2.3.0.
>
> Most TurboGears users are not vulnerable to this issue, and do not
> need to update their systems, you are only vulnerable if you have
> specifically enabled sessions with:
>
> sessionFilter.on = True
>
> in your configuration file.
>
> You can also search for calls to cherrypy.session in your application.
> If you find either of these things in your application you are
> potentially vulnerable, and should test your application with 2.3.0
> which should be backwards compatible with your existing turbogears
> app.
>
> The easiest way to secure your application is to easy-install it via:
>
> easy_install -UZ "Cherrypy==2.3.0"
>
> You can use the "tg-admin info" to check what version of CherryPy you
> currently have installed. Please do this before you attempt to
> update, so that if anything goes wrong you can rollback to your
> earlier version of CherryPy with:
>
> easy_install "CherryPy==YourVersion"
>
> Once the update is complete, be sure to use "tg-admin" info again to
> assure that you are in fact up to date, and restart your server as
> necessary.
>
> We have released new versions of TurboGears, with this updated
> dependency. So, you can also upgrade TurboGears to 1.0.3.3 (the most
> recent stable version), or 1.0.4b5 (the most recent beta), and all new
> TurboGears installs will not be vulnerable, even if they do turn on
> cherrypy.session.
>
> --
> Mark Ramm-Christensen
> email: mark at compoundthinking dot com
> blog:www.compoundthinking.com/blog
>
> --
> Mark Ramm-Christensen
> email: mark at compoundthinking dot com
> blog:www.compoundthinking.com/blog
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"TurboGears" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/turbogears?hl=en
-~----------~----~----~----~------~----~------~--~---
