Clean locale identifiers before loading from file #782
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mitsuhiko
requested changes
Apr 28, 2021
There was a problem hiding this comment.
This is kinda okay but there is a potential concern. Since certain names are reserved on windows you could cause a DOS by for instance trying to load aux.dat or similar files. To make this safer this should likely assert it's not in the list of reserved file names.
basename itself might be okay. While there are some scary inputs like .. loading the join of dirname name ...dat is still okay.
akx
changed the title
os.path.basename()
|
@mitsuhiko Good call on the special filenames, I had forgotten those are still a thing on Windows. I added another commit that refactors the previous single call to |
mitsuhiko
approved these changes
Apr 28, 2021
|
CVE-2021-20095 has been assigned to this. |
|
CVE-2021-20095 appers to have been rejected again "This candidate was withdrawn by its CNA" according to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20095 |
|
Anybody knows something more about the rejection from Tenable? I can't find any useful information on their blog. |
|
I asked Tenable about it: |
|
Tenable answered they didn't mean to register it in the first place, hence why they rejected it. |
|
CVE-2021-42771 now describes this issue. |
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Nov 10, 2021
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 90 packages, using default DB | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | babel | 2.6.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ | pycryptodome | 3.10.3 | <3.11.0 | 42084 | +==============================================================================+ | Pycryptodome version 3.11.0 includes a fix for the DSA construction | | algorithm. Modulus "p" primality check wasn't working. https://github.com/Le | | grandin/pycryptodome/pull/557/commits/183f8d1c7a5e145e78b86fb54da7e327a277d9 | | c6 | +==============================================================================+ ```
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Nov 10, 2021
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 80 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | babel | 2.8.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ | pycryptodome | 3.10.3 | <3.11.0 | 42084 | +==============================================================================+ | Pycryptodome version 3.11.0 includes a fix for the DSA construction | | algorithm. Modulus "p" primality check wasn't working. | | Legrandin/pycryptodome@183f8d1c7a5e145e7 | | 8b86fb54da7e327a277d9c6 | +==============================================================================+ ```
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Nov 10, 2021
``` +==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 118 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | pycryptodome | 3.10.3 | <3.11.0 | 42084 | +==============================================================================+ | Pycryptodome version 3.11.0 includes a fix for the DSA construction | | algorithm. Modulus "p" primality check wasn't working. | | Legrandin/pycryptodome@183f8d1c7a5e145e7 | | 8b86fb54da7e327a277d9c6 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ | sqlalchemy-utils | 0.36.8 | >=0.27.0 | 42194 | +==============================================================================+ | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES | | with CBC mode. The IV that it uses is not random though. | | kvesteri/sqlalchemy-utils#166 | +==============================================================================+ | babel | 2.9.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+ ```
sbrunner
added a commit
to camptocamp/c2cgeoportal
that referenced
this pull request
Nov 12, 2021
+==============================================================================+ | | | /$$$$$$ /$$ | | /$$__ $$ | $$ | | /$$$$$$$ /$$$$$$ | $$ \__//$$$$$$ /$$$$$$ /$$ /$$ | | /$$_____/ |____ $$| $$$$ /$$__ $$|_ $$_/ | $$ | $$ | | | $$$$$$ /$$$$$$$| $$_/ | $$$$$$$$ | $$ | $$ | $$ | | \____ $$ /$$__ $$| $$ | $$_____/ | $$ /$$| $$ | $$ | | /$$$$$$$/| $$$$$$$| $$ | $$$$$$$ | $$$$/| $$$$$$$ | | |_______/ \_______/|__/ \_______/ \___/ \____ $$ | | /$$ | $$ | | | $$$$$$/ | | by pyup.io \______/ | | | +==============================================================================+ | REPORT | | checked 25 packages, using free DB (updated once a month) | +============================+===========+==========================+==========+ | package | installed | affected | ID | +============================+===========+==========================+==========+ | babel | 2.8.0 | <2.9.1 | 42203 | +==============================================================================+ | Babel 2.9.1 includes a fix for CVE-2021-42771: Babel.Locale in Babel before | | 2.9.1 allows attackers to load arbitrary locale .dat files (containing | | serialized Python objects) via directory traversal, leading to code | | execution. | | python-babel/babel#782 | | https://lists.debian.org/debian-lts/2021/10/msg00040.html | | https://www.tenable.com/security/research/tra-2021-14 | | https://lists.debian.org/debian-lts-announce/2021/10/msg00018.html | +==============================================================================+
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.