Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to Jinja2 2.10.1 #3115

Closed
wants to merge 1 commit into from
Closed

Conversation

kinow
Copy link
Member

@kinow kinow commented Apr 13, 2019

Close #3114

Updates to Jinja2 2.10.1.

@kinow kinow added the bug Something is wrong :( label Apr 13, 2019
@kinow kinow added this to the next-release milestone Apr 13, 2019
@kinow
Copy link
Member Author

kinow commented Apr 17, 2019

Oh, bad news. Jinja 2.10.1 with the security fix is Python 3 only apparently. They added asyncio support (see build failure). I tried to remove the two files that add async support, but they are mentioned in environment.py and in another file.

So I think 7.8.x will have to go out with the dependency that had the CVE. And in that case this PR can be closed 😕

@hjoliver
Copy link
Member

Oh, bad news. Jinja 2.10.1 with the security fix is Python 3 only apparently.

Can we argue (as I think you did @kinow, in your initial email about this problem) that the CVE does not pose any additional risk in the Cylc context? And if so, will that satisfy your colleagues @MartinRyan? (Well, it'll have to ... I don't see we have much choice here).

@kinow
Copy link
Member Author

kinow commented Apr 23, 2019

Can we argue (as I think you did @kinow, in your initial email about this problem) that the CVE does not pose any additional risk in the Cylc context?

I think so. I tried one different scenario, where a user A would have access to Cylc Review, and then create suites and tasks with malicious names. But that did not work, and even if worked, it would give him access to the Cylc operating system, under Cylc's user account... which he already has anyway.

I was concerned only if I could modify something in the web layer through the exploit (e.g. steal cookies, inject JS), but I didn't find an easy way to exploit it.

So +1 from me

(also found several issues in Cylc Review while testing it with special characters...)

@hjoliver hjoliver self-assigned this Apr 26, 2019
@hjoliver hjoliver added wontfix non-cylc bug This is a bug, but not in Cylc and removed bug Something is wrong :( labels Apr 26, 2019
@hjoliver hjoliver closed this Apr 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
non-cylc bug This is a bug, but not in Cylc wontfix
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants