Comment 38 for bug 1496277
Revision history for this message
| Steven Hardy (shardy) wrote Re: template-validate may read server local files (CVE-2015-5295) | #38 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Unfortunately the fix we had in mind for bug 1508115 proved impractical for a number of reasons, so we had to go with a simpler interim fix, which does not have the side-effect of fixing this bug.
So we're still in the process of working through options - basically it boils down to what Angus said in comment #14, the subtext of which is there's considerable hidden complexity around our (inconsistent) application of the user_resource flag in the environment (you can't rely on it always being false for templates loaded from the global environment, which IMO is a bug), and also around our usage of the generate_class derived subclass for facade validation.
I hope we'll have better news soon but if not then we'll probably have to revisit the path restriction workaround posted by Angus in comment #7. My objections to that approach stand, but I now understand the reasons for it much better :(