Python Bottle JSON content-type not restrictive enough

2014.05.01
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hi, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and https://github.com/defnull/bottle/issues/616 report an issue where Bottle treated "text/plain;application/json" as JSON, allowing security mechanisms to be bypassed. From the upstream report, "For example Chrome will not allow cross-origin xmlhttprequests with the content type set to "application/json" but you can set it to "text/plain;application/json" instead and bottle will accept it." Package: python-bottle Version: 0.12.5-1 Severity: normal Tags: security upstream Bottle parses a content-type like "text/plain;application/json" as JSON. This can be used to bypass security mechanisms. The bug is tracked in https://github.com/defnull/bottle/issues/616 The bug affects versions 0.10.11-1 and 0.12.5-1 and is already fixed in 0.12.6-1 -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (600, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IE.UTF-8, LC_CTYPE=en_IE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages python-bottle depends on: pn python:any <none> python-bottle recommends no packages. python-bottle suggests no packages. -- no debconf information

References:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322
https://github.com/defnull/bottle/issues/616


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top