We've been waiting for a rather long time to hear back from the current
maintainer of Pyblosxom, the
Python blogging software running this blog.
He's probably busy or taking some time off, therefore we are releasing some
patches for a few minor security issues. It's a mere cross site-scripting bug,
likely the most annoying, common and rather stupid security issue in
web applications. In any case, you most likely want this fixed!
Also another potential directory traversal issue is fixed by applying these patches.
If you are using Pyblosxom to power your blog, please feel free to review these
patches and apply them to your code base if required.
This blog uses a slightly modified version of the original source code, with
certain improvements for performance and aesthetics. In the future we might
contribute our modifications to the upstream development tree.
Patch for 1.4.3:
diff -Nur pyblosxom-1.4.3/Pyblosxom/renderers/blosxom.py pyblosxom-1.4.3.custom/Pyblosxom/renderers/blosxom.py
--- pyblosxom-1.4.3/Pyblosxom/renderers/blosxom.py 2007-12-11 07:56:46.000000000 -0800
+++ pyblosxom-1.4.3.custom/Pyblosxom/renderers/blosxom.py 2008-09-06 06:06:51.000000000 -0700
@@ -48,7 +48,11 @@
path = path[:path.rfind(os.sep)+1] + "flavours" + os.sep
path = path + taste + ".flav"
-
+
+ # Detect NULL terminators and path traversal strings :>
+ if taste.find('\0') != -1 or taste.find('..') != -1:
+ raise NoSuchFlavourException("Flavour does not exist.")
+
if os.path.isdir(path):
template_files = os.listdir(path)
template_d = {}
@@ -186,13 +190,16 @@
# if we still haven't found our flavour files, we raise an exception
if not template_d:
- raise NoSuchFlavourException("Flavour '%s' does not exist." % taste)
+ raise NoSuchFlavourException("Flavour does not exist.")
for k in template_d.keys():
- flav_template = unicode(open(template_d[k]).read(),
- config.get('blog_encoding', 'iso-8859-1'))
- template_d[k] = flav_template
-
+ try:
+ flav_template = unicode(open(template_d[k]).read(),
+ config.get('blog_encoding', 'iso-8859-1'))
+ template_d[k] = flav_template
+ except:
+ raise NoSuchFlavourException("Flavour error: %s" % template_d[k])
+
return template_d
def _printTemplate(self, entry, template):
Patch for the Subversion trunk, if you are running the "bleeding edge":
diff -Nur pyblosxom-trunk/Pyblosxom/renderers/blosxom.py pyblosxom-subreption/Pyblosxom/renderers/blosxom.py
--- pyblosxom-trunk/Pyblosxom/renderers/blosxom.py 2008-09-06 06:20:37.000000000 -0700
+++ pyblosxom-subreption/Pyblosxom/renderers/blosxom.py 2008-09-06 06:25:50.000000000 -0700
@@ -47,6 +47,9 @@
path = __file__[:__file__.rfind(os.sep)]
path = path[:path.rfind(os.sep)+1] + "flavours" + os.sep
+ if taste.find('\0') != -1 or taste.find('..') != -1:
+ return None
+
path = path + taste + ".flav"
if os.path.isdir(path):
@@ -190,12 +193,12 @@
# if we still haven't found our flavour files, we raise an exception
if not template_d:
- raise NoSuchFlavourException("Flavour '%s' does not exist." % taste)
+ raise NoSuchFlavourException("Flavour does not exist.")
for k in template_d.keys():
flav_template = open(template_d[k]).read()
template_d[k] = flav_template
-
+
return template_d
def renderContent(self, content):
Thanks, and let us know if you have any issues with the patches. Please don't contact us for technical support for your blog or similar cases. If you don't know how to apply the patch, contact your system administrator or support from your hosting provider, or some friend with free time to help you out.
Leave a comment