Message 103485 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	gsakkis
Recipients	brett.cannon, eric.araujo, gsakkis, hauser, mrts, rhettinger
Date	2010-04-18.12:05:35
SpamBayes Score	1.9286048e-05
Marked as misclassified	No
Message-id	<1271592338.01.0.755764710475.issue2090@psf.upfronthosting.co.za>
In-reply-to

Content
> On the surface this seems like a potential directory traversal attack > hole, although I couldn't get past 'pkg' by passing '../../../', so I > guess there must be other checks before attempting the import. I rushed to post; it turns out one can access packages in parent directories, so I think it's accurate to describe it as a directory traversal hole.

> On the surface this seems like a potential directory traversal attack
> hole, although I couldn't get past 'pkg' by passing '../../../', so I 
> guess there must be other checks before attempting the import.

I rushed to post; it turns out one *can* access packages in parent directories, so I think it's accurate to describe it as a directory traversal hole.

History
Date	User	Action	Args
2010-04-18 12:05:38	gsakkis	set	recipients: + gsakkis, brett.cannon, rhettinger, hauser, eric.araujo, mrts
2010-04-18 12:05:38	gsakkis	set	messageid: <1271592338.01.0.755764710475.issue2090@psf.upfronthosting.co.za>
2010-04-18 12:05:36	gsakkis	link	issue2090 messages
2010-04-18 12:05:36	gsakkis	create