[Secure-testing-team] Bug#746322: python-bottle: JSON content-type not restrictive enough
Federico Ceratto
federico.ceratto at gmail.com
Mon Apr 28 23:51:16 UTC 2014
Package: python-bottle
Version: 0.12.5-1
Severity: normal
Tags: security upstream
Bottle parses a content-type like "text/plain;application/json" as JSON. This can be used to bypass security mechanisms.
The bug is tracked in https://github.com/defnull/bottle/issues/616
The bug affects versions 0.10.11-1 and 0.12.5-1 and is already fixed in 0.12.6-1
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (600, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages python-bottle depends on:
pn python:any <none>
python-bottle recommends no packages.
python-bottle suggests no packages.
-- no debconf information
More information about the Secure-testing-team
mailing list