You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Gregory (Grisha) Trubetskoy" <gr...@apache.org> on 2004/01/23 01:14:15 UTC
[ANNOUNCE] Mod_python 2.7.10
The Apache Software Foundation and The Apache HTTP Server Project are
pleased to announce the release of version 2.7.10 of mod_python.
This release addresses a vulnerability in mod_python 2.7.9 whereby a
specific query string processed by mod_python would cause the httpd
process to crash.
The previously released version 2.7.9 was supposed to correct this issue,
but is still vulnerable.
There are no other changes or improvements from the previous version in
this release.
If you are currently using mod_python 2.7.9 or earlier, it is highly
recommended that you upgrade to 2.7.10 as soon as possible.
If you are using mod_python 3.0.4, no action is necessary.
Mod_python is available for download from:
http://httpd.apache.org/modules/python-download.cgi
For more information about mod_python visit
http://www.modpython.org/
Regards,
Grisha Trubetskoy
Re: [mod_python] [ANNOUNCE] Mod_python 2.7.10
Posted by Andre Reitz <re...@inworks.de>.
Hy all,
a year ago I noticed a bug in cgi-handler.
nobody has removed it until now.
File:
mod_python-2.7.10/lib/python/mod_python/apache.py
def setup_cgi(req):
"""
Replace sys.stdin and stdout with an objects that read/write to
the socket, as well as substitute the os.environ.
Returns (environ, stdin, stdout) which you must save and then use
with restore_nocgi().
"""
# save env
## env = os.environ.copy() # BUG
=> saveenv=os.environ.copy() # should be this
si = sys.stdin
so = sys.stdout
env = build_cgi_env(req)
for k in env.keys():
os.environ[k] = env[k]
sys.stdout = CGIStdout(req)
sys.stdin = CGIStdin(req)
sys.argv = [] # keeps cgi.py happy
## return env, si, so #BUG
=> return saveenv, si, so #should be this
Perhaps somebody wants to fix it....
It was very fatal for us:
we used the cgihandler in combination with cookies.
the cookies were userd for authorization.
caused by this bug it could happen that cookies
got mixed between different sessions.
And some users were logged in to the accounts of other users.....
;(
We fixed this for us,
perhaps somebody will fix it for mod_python 2.7.11 ;)
Greetings, Andre'
On Thu, 22 Jan 2004 19:14:15 -0500 (EST)
"Gregory (Grisha) Trubetskoy" <gr...@apache.org> wrote:
>
> The Apache Software Foundation and The Apache HTTP Server Project are
> pleased to announce the release of version 2.7.10 of mod_python.
>
> This release addresses a vulnerability in mod_python 2.7.9 whereby a
> specific query string processed by mod_python would cause the httpd
> process to crash.
>
> The previously released version 2.7.9 was supposed to correct this issue,
> but is still vulnerable.
>
> There are no other changes or improvements from the previous version in
> this release.
>
> If you are currently using mod_python 2.7.9 or earlier, it is highly
> recommended that you upgrade to 2.7.10 as soon as possible.
>
> If you are using mod_python 3.0.4, no action is necessary.
>
> Mod_python is available for download from:
>
> http://httpd.apache.org/modules/python-download.cgi
>
> For more information about mod_python visit
> http://www.modpython.org/
>
> Regards,
>
> Grisha Trubetskoy
>
> _______________________________________________
> Mod_python mailing list
> Mod_python@modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
--
__________________________________________________________________________
Als Technologieunternehmen konzipieren und entwickeln wir maßgeschneiderte Feedback- und
Monitoring-Systeme - wie beispielsweise Lösungen für Beschwerde- und Ideenmanagement.
Mit dem Inquery® Survey Server bieten wir eine der leistungsfähigsten Standardlösungen für
Online-Umfragen mit dem Schwerpunkt auf der Messung von Kundenzufriedenheit an.
__________________________________________________________________________
Inworks GmbH
Andre Reitz, Leiter Entwicklung
Hörvelsinger Weg 39, 89081 Ulm, Germany
Tel +49 (0) 731 / 93807-21
Fax +49(0)731/93807-18
Internet: http://www.inworks.de
Re: [ANNOUNCE] Mod_python 2.7.10
Posted by Oliver Graf <og...@rz-online.net>.
On Thu, Jan 22, 2004 at 07:14:15PM -0500, Gregory (Grisha) Trubetskoy wrote:
>
> The Apache Software Foundation and The Apache HTTP Server Project are
> pleased to announce the release of version 2.7.10 of mod_python.
The traversion problem I discovered in 3.X is also in 2.7.
cause the loop always checks module with hasattr, any dotted module
paths (such as mylib.mymodule::MyClass.MyMethod) will fail.
Patch attached. Not tested, but the code seems unchanged in 3.X, so it
should fix the problem with the old version, too.
Oliver.