Author: Ian Bicking Date: To: Paste Users, pylons-devel, pylons-discuss, turbogears-trunk, repoze-dev Subject: [Paste] Paste 1.7.4, security fix for XSS hole
Paste 1.7.4 is released. The only real change is to paste.httpexceptions,
which was using insecure quoting of some parameters and allowed an XSS hole,
most specifically with its 404 messages. The most notably WSGI application
using this is paste.urlparse.StaticURLParser and PkgResourcesParser. By
directing someone to an appropriately formed URL an attacker can execute
affected, but only if you have no application attached to /. Other
applications using paste.httpexceptions may be effected (especially
HTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected.
I believe the changes to 1.7.4 are limited and upgrading will have a low
You received this message because you are subscribed to the Google Groups "Paste Users" group.
To post to this group, send email to paste-users@???.
To unsubscribe from this group, send email to paste-users+unsubscribe@???.
For more options, visit this group at http://groups.google.com/group/paste-users?hl=en.
This message was posted to the following mailing lists: