[Web-SIG] WSGI in standard library
Graham Dumpleton
grahamd at dscpl.com.au
Sun Feb 12 12:58:24 CET 2006
On 12/02/2006, at 10:39 PM, Alan Kennedy wrote:
> Note the security hole incovered in the standard library xml-rpc lib
> last year.
>
> PSF-2005-001 - SimpleXMLRPCServer.py allows unrestricted traversal
> http://www.python.org/security/PSF-2005-001/
>
> This particular security hole is the very reason why the Python
> Security
> response team had to be founded, and required point-releases of the
> entire python distribution to fix, i.e. python 2.3.5 and python 2.4.1
> were released simply to fix this bug.
FWIW, that isn't entirely true. Python 2.3.5 was about to be released at
that time anyway for other reasons. Because of this issue it was though
delayed a little bit to add the change. As to Python 2.4.1 I can't
find the
exact details. There was going to be a 2.4.1 release a few weeks later,
again for other reasons, so I think the fix got rolled into the first
release
candidate.
Anyway, not that it matters, but the security fix was not the only thing
in those releases.
Graham
More information about the Web-SIG
mailing list