Ticket #744 (defect)
Opened 10 months ago
Last modified 10 months ago
Malicious cookies may allow access to files outside the session directory
Status: closed (fixed)
| Reported by: | fumanchu | Assigned to: | fumanchu |
|---|---|---|---|
| Priority: | highest | Milestone: | |
| Component: | CherryPy code | Keywords: | security |
| Cc: |
If a user supplies a malicious session id via a cookie, and the server is using file-based sessions, there is a possibility that the application could reference a file outside the session directory. The file name would have to begin with the SESSION_PREFIX. Reading arbitrary files into the session dictionary is mitigated by the use of pickle.load to read the data; similarly, writing is always performed via pickle.dump. File creation and deletion, however, have no such mitigation.
Change History
10/27/07 12:16:22: Modified by fumanchu
- status changed from new to assigned.
10/27/07 12:22:02: Modified by fumanchu
- status changed from assigned to closed.
- resolution set to fixed.
3.0.x fix in [1774].
10/27/07 12:24:02: Modified by fumanchu
2.x fix in [1775].
10/27/07 12:32:24: Modified by fumanchu
2.1 fix in [1776].
Trunk fix in [1773].