Security bugs on Windows servers: Flask 0.12.2 and Werkzeug 0.12.2 released
μλ¬Έ : https://www.palletsprojects.com/blog/flask-werkzeug-0122-security-release/
Flask 0.12.2, Werkzeug 0.12.2 κ° λ¦΄λ¦¬μ¦ λμλλ° μ΄κ²λ€μ safe_join
ν¨μμ λν 보μκ΄λ ¨ λ²κ·Έμμ μ ν¬ν¨νκ³ μλ€. μ΄ λ¬Έμ λ Windows μλ²μμ application μ μ΄μμμ λ°μνλ€.
Details
David Lordκ° μ΄ λ²κ·Έλ₯Ό λ°κ²¬νκ³ , κ°μΈ μ΄λ©μΌλ‘ λ€λ₯Έ κ΄λ¦¬μμκ² μλ Έλ€:
While going through PR #2059 about
safe_join
, I looked up Python'sntpath.join
and discovered a vulnerability thatsafe_join
on Windows doesn't cover.https://docs.python.org/3/library/os.path.html#os.path.join: "os.path.join("c:", "foo") represents a path relative to the current directory on drive C:
(c:foo)
"
safe_join('\\root\\path', 'd:', 'test.txt')
would break out of the trusted root directory and instead take the test file relative to the cwd on the d drive. This doesn't give completely arbitrary path access, since it's limited to the cwd, but it's still not good.
κ°λ°μμ κ²½μ° μ΄λ safe_join
μ μ¬μ©νλ μλν¬μΈνΈκ° μ μ¬μ μΌλ‘ Windowsμ μλ² νλ‘μΈμ€μ νμ¬ μμ
λλ ν 리μμλ μμμ νμΌμ 곡κ°νλ λ° μ¬μ©λ μ μμμ μλ―Ένλ€.
What happens next
λ²κ·Έκ° μμ λ Flask 0.12.2, Werkzeug 0.12.2 λ‘ μ κ·Έλ μ΄λ νκΈΈ κ°λ ₯ μΆμ²νλ€.(Flask, Werkzeug)
CVEλ Tue, 16 May 2017 06:51:09 +0000
μ μμ²λμκ³ , CVE CVE-2017-9088
λ‘ ν λΉλμλ€.
ps) μμ ν΄μΌνλ λ²μμ λκΈλ‘ μλ €μ£ΌμκΈ° λ°λλλ€.