colander icon indicating copy to clipboard operation
colander copied to clipboard

Published 20 hours ago verified publisher icon Pylons

possible security vulnerability in user input

Open jvanasco opened this issue 7 years ago • 5 comments

i discovered a specific vulnerability in a handful of python form validation and sanitization libraries yesterday. colander is affected. the behavior is desired in some contexts, but dangerous in most http/html contexts.

is there someone I can email about this?

jvanasco avatar Aug 04 '17 15:08 jvanasco

From https://pylonsproject.org/community-support.html

To report security issues with projects under the Pylons Project send email to: [email protected]. If we determine that your report may be a security issue with the project, we may contact you for further information.

Thank you!

stevepiercy avatar Aug 04 '17 16:08 stevepiercy

@jvanasco did you send an email about this issue? If not, would you please reach out to either the security list or to me personally? [email protected] or [email protected] (either one/both is fine).

digitalresistor avatar Feb 01 '19 08:02 digitalresistor

I thought I did, but there's nothing in my outbox. I'll email the group now.

jvanasco avatar Feb 01 '19 17:02 jvanasco

Thanks @jvanasco!

digitalresistor avatar Feb 01 '19 18:02 digitalresistor

if anyone in the general public is worried about this: please don't. many upstream libraries and web browsers have since integrated safeguards against this overall attack type, making this ticket largely redundant.

jvanasco avatar Feb 01 '19 18:02 jvanasco