You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2012/09/19 17:21:54 UTC

security issue with easywidgets (Allura dependency)

I recommend all Allura deployments upgrade EasyWidgets to version
0.2dev-20120918 immediately.  If you cannot do that, apply this patch to your
current easywidgets version:
https://bitbucket.org/rick446/easywidgets/changeset/9b761c63620e5cbabc89e7ab34c599bd536f3c75
 That will close a vector of attack in which arbitrary filesystem paths can be
specified in the URL and exposed to the requester.  Example in the commit link
above.


-- 
Dave Brondsema : dave@brondsema.net
http://www.brondsema.net : personal
http://www.splike.com : programming
              <><