[ANN] Flask 0.6.1 Bugfix Out [Includes Fix for Windows Security Issue]
- From:
- Armin Ronacher
- Date:
- 2010-12-31 @ 14:28
Hello everybody,
I just pushed out Flask 0.6.1 which includes a bunch of bugfixes for the
0.6 version:
- Fixed an issue where the default `OPTIONS` response was
not exposing all valid methods in the `Allow` header.
- Jinja2 template loading syntax now allows "./" in front of
a template load path. Previously this caused issues with
module setups.
- Fixed an issue where the subdomain setting for modules was
ignored for the static folder.
- Fixed a security problem that allowed clients to download arbitrary
files if the host server was a windows based operating system and the
client uses backslashes to escape the directory the files where
exposed from.
It includes a bugfix for a security issue on Windows systems which
allowed an attacker getting access to any file on the filesystem the
user running the webserver has access to for as long as the Flask
internal static file serving was enabled instead of the one of the
webserver. An attacker could access files on the file system if
backslashes were used to escape the jail of the static folder.
If you are using Flask in production on a windows system we urge you to
upgrade to this release or the development version as soon as possible.
Regards,
Armin