Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Ticket #2171 (closed defect: fixed)

Opened 10 years ago

Last modified 10 years ago

Possible security problem with quickstart/controllers/error.py

Reported by: aigarius Owned by: Chris Arndt
Priority: normal Milestone: 2.0b5
Component: Quickstart Templates Version: trunk
Severity: major Keywords:


_serve_file is exposed by default and it could be tricked into serving files that the webmaster did not intent to be publicly accessible. It works perfectly fine without the @expose.

Change History

comment:1 Changed 10 years ago by jorge.vargas

  • Status changed from new to closed
  • Resolution set to fixed

The error controller code was in flux for the last couple of releases. We believe it is now stable and it doesn't has this method which was stolen from pylons. Please see #2086 I just check with pylons and it isn't "exposed" so it isn't valid there.

comment:2 Changed 10 years ago by aigarius

Cool, thanks :)

Note: See TracTickets for help on using tickets.