urn:uuid:d7012b07-ce1c-3355-b28f-5d1a2062ef36Security — Pallets Project2023-04-02T21:11:50.450245+00:00python-feedgenurn:uuid:587072a1-b456-3b40-a8bb-05e6ce93c3c7Werkzeug 0.11.6 Security Release2016-04-14T00:00:00+00:00Armin Ronacher<p>Today we pushed out a <a href="/p/werkzeug/">Werkzeug</a> bugfix release which contains
a security relevant fix. It has come to our attention (reported by <a href="https://github.com/JordanMilne/">Jordan Milne</a>)
that the PIN brute-force protection in the Werkzeug debugger could be bypassed
by attacking the cookie rather than the PIN. While this is generally not easily
fixable we improved the situation by mixing in higher quality secret data into the
cookie name and made it more complex. We now include a UUID of the machine
the code is running on.</p>
<p>This should make it significantly more complex to bypass the PIN check. That said
we want to reiterate that the PIN protection for the debugger is <em>not a suitable
protection to run the debugger in production</em>. It's a basic security feature to make
it less likely to use an accidentally enabled debugger. Please ensure that you never
enable the debugger in production environments regardless of this feature.</p>
urn:uuid:72b197d2-51ab-35d5-a5f7-8fa94eb8f284Jinja 2.8.1 Security Release2016-12-29T00:00:00+00:00Armin Ronacher<p>We just pushed out a new release for Jinja (2.8.1) which includes a security related
fix. If you are using the Jinja2 sandbox you are encouraged to upgrade or alternatively
manually further lock down the sandbox.</p>
<p>The core of the issue is that Python's string format method that was added to strings
can be used to discover potentially dangerous values including configuration values:</p>
<div class="hll"><pre><span></span><span class="gp">>>> </span><span class="n">config</span> <span class="o">=</span> <span class="p">{</span><span class="s1">'SECRET_KEY'</span><span class="p">:</span> <span class="s1">'12345'</span><span class="p">}</span>
<span class="gp">>>> </span><span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="gp">... </span> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span>
<span class="gp">... </span> <span class="bp">self</span><span class="o">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">name</span>
<span class="gp">...</span>
<span class="gp">>>> </span><span class="n">user</span> <span class="o">=</span> <span class="n">User</span><span class="p">(</span><span class="s1">'joe'</span><span class="p">)</span>
<span class="gp">>>> </span><span class="s1">'</span><span class="si">{0.__class__.__init__.__globals__[config]}</span><span class="s1">'</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">user</span><span class="p">)</span>
<span class="go">"{'SECRET_KEY': '12345'}"</span>
</pre></div>
<p>For this reason <em>you must never let user supply format strings</em> in raw Python as its
too easy to escape them. However specifically for the Jinja2 sandbox we changed the
behavior now that we're using the same sandboxing functionality that Jinja2 uses
for its own runtime also for Python string formatting.</p>
<p>This means that with 2.8.1 and higher templates from sandboxed environments will
intercept format strings the same way as with normal cases:</p>
<div class="hll"><pre><span></span><span class="gp">>>> </span><span class="kn">from</span> <span class="nn">jinja2.sandbox</span> <span class="kn">import</span> <span class="n">SandboxedEnvironment</span>
<span class="gp">>>> </span><span class="n">env</span> <span class="o">=</span> <span class="n">SandboxedEnvironment</span><span class="p">()</span>
<span class="gp">>>> </span><span class="k">class</span> <span class="nc">User</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="gp">... </span> <span class="k">def</span> <span class="fm">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">name</span><span class="p">):</span>
<span class="gp">... </span> <span class="bp">self</span><span class="o">.</span><span class="n">name</span> <span class="o">=</span> <span class="n">name</span>
<span class="gp">...</span>
<span class="gp">>>> </span><span class="n">t</span> <span class="o">=</span> <span class="n">env</span><span class="o">.</span><span class="n">from_string</span><span class="p">(</span>
<span class="gp">... </span> <span class="s1">'{{ "</span><span class="si">{0.__class__.__init__.__globals__}</span><span class="s1">".format(user) }}'</span><span class="p">)</span>
<span class="gp">>>> </span><span class="n">t</span><span class="o">.</span><span class="n">render</span><span class="p">(</span><span class="n">user</span><span class="o">=</span><span class="n">User</span><span class="p">(</span><span class="s1">'joe'</span><span class="p">))</span>
<span class="gt">Traceback (most recent call last):</span>
<span class="w"> </span><span class="c">...</span>
<span class="gr">jinja2.exceptions.SecurityError</span>: <span class="n">...</span>
</pre></div>
<p>If you don't want or you cannot upgrade Jinja2, you can override the <code>is_safe_attribute</code>
method on the sandbox and explicitly disallow all <code>format</code> attributes on strings.</p>
<p>Thank you to <a href="https://twitter.com/odony">Olivier Dony</a> for reporting the issue.</p>
urn:uuid:c7030b14-98ed-390d-8c20-00f00b361f80Security bugs on Windows servers: Flask 0.12.2 and Werkzeug 0.12.2 released2017-05-16T00:00:00+00:00Markus Unterwaditzer<p>Flask 0.12.2 and Werkzeug 0.12.2 have been released. They contain the same
<strong>security bugfix</strong> for the <code>safe_join</code> function in each package.</p>
<p>The problem only occurs if you are running your application on a Windows
server.</p>
<h2 id="details">Details</h2><p><a href="https://twitter.com/davidism">David Lord</a> initially found this bug (thanks!)
and disclosed it to the other maintainers in a private email:</p>
<blockquote><p>While going through PR #2059 about safe_join, I looked up Python's ntpath.join
and discovered a vulnerability that safe_join on Windows doesn't cover.</p>
<p><a href="https://docs.python.org/3/library/os.path.html#os.path.join">https://docs.python.org/3/library/os.path.html#os.path.join</a>:
"<code>os.path.join("c:", "foo")</code> represents a path relative to the current
directory on drive C: <code>(c:foo)</code>"
<br>
<code>safe_join('\\root\\path', 'd:', 'test.txt')</code> would break out of the trusted
root directory and instead take the test file relative to the cwd on the d
drive. This doesn't give completely arbitrary path access, since it's
limited to the cwd, but it's still not good.</p>
</blockquote>
<p>For the application developer this means that endpoints using <code>safe_join</code> could
potentially be used to disclose arbitrary files in the server processes'
current working directory on Windows.</p>
<h2 id="what-happens-next">What happens next</h2><p>We strongly recommend upgrading to Flask 0.12.2 and Werkzeug 0.12.2, as this
bug has been fixed there (<a href="https://github.com/pallets/flask/pull/2284">Flask</a>,
<a href="https://github.com/pallets/werkzeug/commit/2497866d7eafa64ca5eb4fb3d1747c05036bf318">Werkzeug</a>).</p>
<p>A CVE has been requested on <code>Tue, 16 May 2017 06:51:09 +0000</code>, the CVE <code>CVE-2017-9088</code> was assigned.</p>
urn:uuid:ed341225-2d1d-3d32-816a-841f17164b0eFlask 0.12.3 Released2018-04-26T00:00:00+00:00David Lord<p>This release includes an important security fix for JSON and a minor backport for CLI support in PyCharm. It is provided for projects that cannot update to Flask 1.0 immediately. See the <a href="/blog/flask-1-0-released">1.0 announcement</a> and update to it instead if possible.</p>
<h2 id="json-security-fix">JSON Security Fix</h2><p>Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.</p>
<p>Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.</p>
<h2 id="upgrade">Upgrade</h2><p>Upgrade from <a href="https://pypi.org/project/Flask/">PyPI</a> with pip. Use a version identifier if you want to stay at 0.12:</p>
<pre><code>pip install -U Flask==0.12.3
</code></pre>
<p>Or upgrade to 1.0:</p>
<pre><code>pip install -U Flask
</code></pre>
urn:uuid:369f25df-06ee-335a-a276-f0d0fb85149dFlask 1.0 Released2018-04-26T00:00:00+00:00David Lord<p>The Pallets team is pleased to release <a href="https://palletsprojects.com/p/flask/">Flask</a> 1.0.</p>
<p>The Flask framework has been stable for a long time. A little more than 8 years after the first commit, the version number finally reflects that. 1.0 comes with a significant number of changes representing over a year of work.</p>
<ul>
<li>Dropped support for Python 2.6 and 3.3.</li>
<li>The CLI is more flexible. <code>FLASK_APP</code> can point to an app factory, optionally with arguments. It understands import names in more cases where filenames were previously used. It automatically detects common filenames, app names, and factory names. <code>FLASK_ENV</code> describes the environment the app is running in, like <code>development</code>, and replaces <code>FLASK_DEBUG</code> in most cases. <a href="http://flask.pocoo.org/docs/1.0/cli/">See the docs to learn more.</a></li>
<li>If python-dotenv is installed, the <code>flask</code> CLI will load environment variables from <code>.flaskenv</code> and <code>.env</code> files rather than having to export them in each new terminal.</li>
<li>The development server is multi-threaded by default to handle concurrent requests during development.</li>
<li><code>flask.ext</code>, which was previously deprecated, is completely removed. Import extensions by their actual package names.</li>
<li>Accessing missing keys from <code>request.form</code> shows a more helpful error message in debug mode, addressing a very common source of confusion for developers.</li>
<li>Error handlers are looked up by code then exception class, on the blueprint then application. This gives more predictable control over handlers, including being able to handle <code>HTTPException</code>.</li>
<li>The behavior of <code>app.logger</code> has been greatly simplified and should be much easier to customize. The logger is always named <code>flask.app</code>, it only adds a handler if none are registered, and it never removes existing handlers. <a href="http://flask.pocoo.org/docs/1.0/logging/">See the docs to learn more.</a></li>
<li>The <code>test_client</code> gained a <code>json</code> argument for posting JSON data, and the <code>Response</code> object gained a <code>get_json</code> method to decode the data as JSON in tests.</li>
<li>A new <code>test_cli_runner</code> is added for testing an app's CLI commands.</li>
<li>Many documentation sections have been rewritten to improve clarity and relevance. This is an ongoing effort.</li>
<li>The <a href="http://flask.pocoo.org/docs/1.0/tutorial/">tutorial</a> and corresponding <a href="https://github.com/pallets/flask/tree/1.0/examples/tutorial">example</a> have been rewritten. They use a structured layout and go into more detail about each aspect in order to help new users avoid common issues and become comfortable with Flask.</li>
</ul>
<p>There are many more changes throughout the framework. <a href="http://flask.pocoo.org/docs/1.0/changelog/">Read the full changelog</a> to understand what changes may affect your code when upgrading.</p>
<h2 id="json-security-fix">JSON Security Fix</h2><p>Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.</p>
<p>Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/Flask/">PyPI</a> with pip:</p>
<pre><code>pip install -U Flask
</code></pre>
<h2 id="get-involved">Get Involved</h2><p>Flask and the Pallets team depends on you, the community. Whether you report issues, write documentation, create patches, or answer questions, we appreciate all the help you provide. Check out the <a href="https://github.com/pallets/flask/blob/master/CONTRIBUTING.rst">contributing guide</a> to get started.</p>
<h2 id="donate">Donate</h2><p>The Pallets organization has joined the Python Software Foundation's Fiscal Sponsorship program. We now accept donations through the PSF in order to support our efforts to maintain the projects and grow the community. <a href="https://psfmember.org/civicrm/contribute/transact?reset=1&id=20">Click here to donate.</a></p>
urn:uuid:fc1f0876-4fa0-3e31-a6d2-3b02ae0c2546Jinja 2.10.1 Security Release2019-04-06T00:00:00+00:00David Lord<p>Jinja 2.10.1 has been released and includes a security-related fix. If
you are using the Jinja <a href="http://jinja.pocoo.org/docs/2.10/sandbox/">sandboxed environment</a> you are encouraged to
upgrade.</p>
<p>MITRE has assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10906">CVE-2019-10906</a> to this issue.</p>
<p>Thank you to <a href="https://brianwel.ch">Brian Welch</a> for responsibly reporting the issue, and to
<a href="https://twitter.com/mitsuhiko">Armin Ronacher</a> for writing the fix.</p>
<p>The sandbox is used to restrict what code can be evaluated when
rendering untrusted, user-provided templates. Due to the way string
formatting works in Python, the <code>str.format_map</code> method could be used to
escape the sandbox.</p>
<p>This issue was previously addressed for the <code>str.format</code> method in
<a href="/blog/jinja-281-released/">Jinja 2.8.1</a>, which discusses the issue in detail. However, the
less-common <code>str.format_map</code> method was overlooked. This release applies
the same sandboxing to both methods.</p>
<p>If you cannot upgrade Jinja, you can override the <code>is_safe_attribute</code>
method on the sandbox and explicitly disallow the <code>format_map</code>
method on string objects.</p>
<h2 id="reporting-security-issues">Reporting Security Issues</h2><p>If you think you have discovered a security issue in Jinja or another of
the Pallets projects, please email <a href="mailto:security@palletsprojects.com">security@palletsprojects.com</a> with
details.</p>
urn:uuid:fed9634c-ad66-395f-a6b2-456235ab19eeWerkzeug 0.15.3 Released2019-05-14T00:00:00+00:00David Lord<p>Werkzeug 0.15.3 has been released, followed closely by 0.15.4. Both fix
bugs and compatibility issues. The <a href="https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-3">changelog</a> lists the changes in
detail, which include:</p>
<ul>
<li>The debugger pin is unique per Docker container.</li>
<li>Fix issues with the arguments to the <code>Unauthorized</code> HTTP exception.</li>
<li>Fix <code>ProfilerMiddleware</code> filenames, and get <code>LintMiddleware</code> working
on Python 3.</li>
<li>Bytes passed to URLs will be correctly decoded rather than having a
<code>b</code> prefix.</li>
</ul>
<h2 id="debugger-pin-security">Debugger Pin Security</h2><p>A minor security issue was addressed in this release. The debugger
generates a unique pin per host to prevent unauthorized code execution.
However, in Docker this pin would be identical across all containers.
This release ensures each container uses a unique pin.</p>
<p>Thank you to Nikita Tikhomirov for responsibly reporting the issue. If
you think you have discovered a security issue in Werkzeug or another of
the Pallets projects, please email <a href="mailto:security@palletsprojects.com">security@palletsprojects.com</a> with
details.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/Werkzeug/">PyPI</a> with pip:</p>
<pre><code>pip install -U Werkzeug
</code></pre>
urn:uuid:25b1d3ef-dd0b-350c-b6a0-9918f60decebWerkzeug 0.15.5 Released2019-07-17T00:00:00+00:00David Lord<p>Werkzeug 0.15.5 has been released, containing bug and security fixes.
The <a href="https://werkzeug.palletsprojects.com/en/0.15.x/changes/#version-0-15-5">changelog</a> lists the changes in detail, which include:</p>
<ul>
<li><code>SharedDataMiddleware</code> safely handles drive names in paths on Windows.</li>
<li>The reloader no longer causes an <code>Exec format error</code> in many common
situations.</li>
<li>The reloader works around an issue when using the pydev debugger.</li>
</ul>
<h2 id="security-fix-for-shareddatamiddleware-on-windows">Security fix for <code>SharedDataMiddleware</code> on Windows</h2><p>Prior to 0.15.5, it was possible for a third party to potentially access
arbitrary files when the application used <code>SharedDataMiddleware</code> on
Windows. This issue was assigned <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14322">CVE-2019-14322</a>.</p>
<p>Due to the way Python's <code>os.path.join()</code> function works on Windows, a
path segment with a drive name will change the drive of the final path.
This was <a href="/blog/flask-werkzeug-0-12-2-security-release/">previously addressed</a> in the <code>safe_join()</code> function in
<a href="/blog/flask-werkzeug-0-12-2-security-release/">Werkzeug 0.12.2</a>, but <code>SharedDataMiddleware</code> used a separate
implementation and so was not secured by the previous fix.</p>
<p><code>SharedDataMiddlware</code> now uses <code>safe_join()</code> when fetching requested
files. Projects using <code>SharedDataMiddleware</code> on Windows should update
as soon as possible to receive the fix.</p>
<p>Thank you to <a href="mailto:byemre.ovunc@gmail.com">Emre Övünç</a> and <a href="mailto:security@odoo.com">Olivier Dony</a> for responsibly
reporting the issue. If you think you have discovered a security issue
in Werkzeug or another of the Pallets projects, please email
<a href="mailto:security@palletsprojects.com">security@palletsprojects.com</a> with details.</p>
<h2 id="install-or-upgrade">Install or Upgrade</h2><p>Install from <a href="https://pypi.org/project/Werkzeug/">PyPI</a> with pip:</p>
<pre><code>pip install -U Werkzeug
</code></pre>