diff options
| author | Bert JW Regeer <bertjw@regeer.org> | 2023-08-23 14:42:14 -0600 |
|---|---|---|
| committer | Bert JW Regeer <bertjw@regeer.org> | 2023-08-23 14:42:34 -0600 |
| commit | 6726314834d0de9e29c45dcb3d6f3ce9118a956d (patch) | |
| tree | b2beb10d66cc406d764ba65654c4b87fa625e51a /CHANGES.rst | |
| parent | fe4de1da370a373a788116727849bab585edaf02 (diff) | |
| download | pyramid-6726314834d0de9e29c45dcb3d6f3ce9118a956d.tar.gz pyramid-6726314834d0de9e29c45dcb3d6f3ce9118a956d.tar.bz2 pyramid-6726314834d0de9e29c45dcb3d6f3ce9118a956d.zip | |
Update CHANGES for exploit mitigation
Diffstat (limited to 'CHANGES.rst')
| -rw-r--r-- | CHANGES.rst | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/CHANGES.rst b/CHANGES.rst index a582ca98f..0039fe1e9 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -12,9 +12,22 @@ Features Bug Fixes --------- +- Removed support for null-bytes in the path when making a request for a file + against a static_view. Whille null-bytes are allowed by the HTTP + specification, due to the handling of null-bytes potentially leading to + security vulnerabilities it is no longer supported. + + This fixes a security vulnerability that is present due to a bug in Python + 3.11.0 through 3.11.4, thereby allowing the unintended disclosure of an + ``index.html`` one directory up from the static views path. + + Thanks to Masashi Yamane of LAC Co., Ltd for reporting this issue. + Backward Incompatibilities -------------------------- +- Requests to a static_view are no longer allowed to contain a null-byte in any + part of the path segment. - Pyramid is no longer tested on, nor supports Python 3.6 - Pyramid drops support for l*gettext() methods in the i18n module. These have been deprecated in Python's gettext module since 3.8, and |