ianb at colorstudy.com
Mon Dec 18 06:06:25 CET 2006
This release includes a security fix, fixing a situation where you
could escape the root when serving static files and running the Paste
HTTP server publicly. If you used other WSGI servers or used the
Paste HTTP server behind Apache this does not effect you. For an
update of Paste 1.0 that includes *only* the security fix, use
What Is Paste?
Install: easy_install Paste PasteScript PasteDeploy
Paste is a set of WSGI components, each of which can be used in
isolation. But used together they form an unstoppable force. Team
These components let you do things like create applications that proxy
to other websites, mount multiple applications under different
prefixes, catch exceptions and interactively inspect the environment,
and much more.
Paste Deploy is a configuration system for these components. Paste
Script is a jack of all trades that builds new project file layouts,
runs WSGI server stacks, and does application deployment.
* Security fix for paste.urlparser.StaticURLParser. The problem
allowed escaping the root (and reading files) when used with
paste.httpserver (this does not effect other servers, and does
not apply when proxying requests from Apache to
* paste.httpserver and paste.fixture.TestApp url-unquote
SCRIPT_NAME and PATH_INFO, as specified in the CGI spec.
Thanks to Jon Nelson for pointing out both these issues.
* paste.registry now works within the EvalException
* Added a __traceback_decorator__ magic local variable, to allow
arbitrary manipulation of the output of
paste.exceptions.collector before formatting.
* Added unicorn power to paste.pony (from Chad Whitacre)
* For paste.httpserver SSL support: add support loading an
explicit certificate context, and using ssl_pem='*' create an
unsigned SSL certificate (from Jason Kirtland).
* Allow variable assignments at the end of paster serve, like
paster serve http_port=80; then you can use %(http_port)s in
your config files (requires up-to-date Paste Deploy).
* Really nothing interesting.
Ian Bicking | ianb at colorstudy.com | http://blog.ianbicking.org
More information about the Python-announce-list