Vickenty Fesunov 2004-05-27 04:51 random filesystem access Roundup uses /home/@@file/ prefix to get static files from the filesystem. It does not restrict in any way the files that are handled. I have a roundup tracker home at /home/kent/cit, then I do the following: kent@kent:~$ nc localhost 8080 GET /cit/@@file/../../../../etc/passwd HTTP/1.0 Host: kent HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.3.3 Date: Thu, 27 May 2004 11:47:04 GMT Last-Modifed: Tue, 18 May 2004 14:00:15 GMT Content-Length: 1088 Content-Type: text/plain Pragma: no-cache and my actual /etc/passwd follows. Perhaps roundup web interface should restrict @@file requests to some directory. ------------------------------------------------------------------------ Date: 2004-05-27 14:48 Sender: richard Logged In: YES user_id=6405 Fixed, and I'll put up new releases for 0.6 and 0.7 ASAP. Thanks for the report. ------------------------------------------------------------------------ Date: 2004-05-27 09:18 Sender: kent_turbo Logged In: YES user_id=714555 I have attached a patch that fixes this bug. It uses os.path.normpath to normalise the path, and then checks that the file to be served resides under STATIC_FILES (new variable in the config) path. config.py in the templates are patched to include this new variable. ------------------------------------------------------------------------ Date: 2004-05-27 08:41 Sender: kent_turbo Logged In: YES user_id=714555 I have attached a patch that fixes this bug. It uses os.path.normpath to normalise the path, and then checks that the file to be served resides under STATIC_FILES (new variable in the config) path. config.py in the templates are patched to include this new variable.