Security bugs on Windows servers: Flask 0.12.2 and Werkzeug 0.12.2 released

2017-05-22

원문 : https://www.palletsprojects.com/blog/flask-werkzeug-0122-security-release/

Flask 0.12.2, Werkzeug 0.12.2 κ°€ 릴리즈 λ˜μ—ˆλŠ”λ° 이것듀은 safe_join ν•¨μˆ˜μ— λŒ€ν•œ λ³΄μ•ˆκ΄€λ ¨ λ²„κ·Έμˆ˜μ •μ„ ν¬ν•¨ν•˜κ³  μžˆλ‹€. 이 λ¬Έμ œλŠ” Windows μ„œλ²„μ—μ„œ application 을 μš΄μ˜μ‹œμ— λ°œμƒν•œλ‹€.

Details

David Lordκ°€ 이 버그λ₯Ό λ°œκ²¬ν–ˆκ³ , 개인 μ΄λ©”μΌλ‘œ λ‹€λ₯Έ κ΄€λ¦¬μžμ—κ²Œ μ•Œλ Έλ‹€:

While going through PR #2059 about safe_join, I looked up Python's ntpath.join and discovered a vulnerability that safe_join on Windows doesn't cover.

https://docs.python.org/3/library/os.path.html#os.path.join: "os.path.join("c:", "foo") represents a path relative to the current directory on drive C: (c:foo)"
safe_join('\\root\\path', 'd:', 'test.txt') would break out of the trusted root directory and instead take the test file relative to the cwd on the d drive. This doesn't give completely arbitrary path access, since it's limited to the cwd, but it's still not good.

개발자의 경우 μ΄λŠ” safe_join을 μ‚¬μš©ν•˜λŠ” μ—”λ“œν¬μΈνŠΈκ°€ 잠재적으둜 Windows의 μ„œλ²„ ν”„λ‘œμ„ΈμŠ€μ˜ ν˜„μž¬ μž‘μ—… λ””λ ‰ν† λ¦¬μ—μžˆλŠ” μž„μ˜μ˜ νŒŒμΌμ„ κ³΅κ°œν•˜λŠ” 데 μ‚¬μš©λ  수 μžˆμŒμ„ μ˜λ―Έν•œλ‹€.

What happens next

버그가 μˆ˜μ •λœ Flask 0.12.2, Werkzeug 0.12.2 둜 μ—…κ·Έλ ˆμ΄λ“œ ν•˜κΈΈ κ°•λ ₯ μΆ”μ²œν•œλ‹€.(Flask, Werkzeug)

CVEλŠ” Tue, 16 May 2017 06:51:09 +0000에 μš”μ²­λ˜μ—ˆκ³ , CVE CVE-2017-9088 둜 ν• λ‹Ήλ˜μ—ˆλ‹€.

ps) μˆ˜μ •ν•΄μ•Όν•˜λŠ” λ²ˆμ—­μ€ λŒ“κΈ€λ‘œ μ•Œλ €μ£Όμ‹œκΈ° λ°”λžλ‹ˆλ‹€.

#FLASK  #Werkzeug  #safe_join  #CVE  #CVE-2017-9088  #Windows Flask  #dev