Changeset 919

Timestamp:

01/10/06 09:15:52

Author:

rdelon

Message:

Backporting security patch to 2.1.0. Preparing for 2.1.1 release

Files:

• tags/cherrypy-2.1.1/CHANGELOG.txt (modified) (1 diff)
• tags/cherrypy-2.1.1/cherrypy/__init__.py (modified) (1 diff)
• tags/cherrypy-2.1.1/cherrypy/_cpwsgiserver.py (modified) (1 diff)
• tags/cherrypy-2.1.1/cherrypy/lib/filter/staticfilter.py (modified) (2 diffs)
• tags/cherrypy-2.1.1/setup.py (modified) (3 diffs)

tags/cherrypy-2.1.1/CHANGELOG.txt

@@ +1 @@
+2006-01-10:
+    * CherryPy-2.1.1 released
+    * Patch for serious security flaw in staticfilter
+
-2005-10-21:
-    * CherryPy-2.1.0 released

tags/cherrypy-2.1.1/cherrypy/__init__.py

@@ -31 +31 @@
-"""
-
-0
+1
-
-import datetime

tags/cherrypy-2.1.1/cherrypy/_cpwsgiserver.py

@@ -273 +273 @@
-class CherryPyWSGIServer(object):
-    
-0
+1
-    ready = False
-    interrupt = None

tags/cherrypy-2.1.1/cherrypy/lib/filter/staticfilter.py

@@ -36 +36 @@
-    
-    def beforeMain(self):
-
+, HTTPError
-        from cherrypy.lib import cptools
-        
@@ -58 +58 @@
-            extraPath = extraPath.lstrip(r"\/")
-            extraPath = urllib.unquote(extraPath)
+            if '..' in extraPath:
+                # Disallow ".." in path otherwise this is a security flaw
+                raise HTTPError(403) # Forbidden
-            filename = os.path.join(staticDir, extraPath)
-        

tags/cherrypy-2.1.1/setup.py

@@ -19 +19 @@
-###############################################################################
-name = "CherryPy"
-0
+1
-desc = "Object-Oriented web development framework"
-long_desc = "CherryPy is a pythonic, object-oriented web development framework"
@@ -38 +38 @@
-    "cherrypy.tutorial", "cherrypy.test",
-]
-download_url="http://sourceforge.net/project/showfiles.php?group_id=56099"
-data_files=[
-    ('cherrypy/tutorial',
@@ -80 +79 @@
-        license=cp_license,
-        packages=packages,
-        download_url=download_url,
-        data_files=data_files,
-    )