The bug is that a number of modules are imported at class scope in order
to compute paths on disk to images. I can't see any reason not to move those
imports up to module scope, which would remove the attack vector.
The attached patch against the 2.12 branch makes the reported URL result
in a 404 (as desired).
This bug was introduced on the 2.12 branch in r114796:
r114796 | hannosch | 2010-07-16 15:01:27 -0400 (Fri, 16 Jul 2010) | 2 lines
Fixed deprecation warnings in OFS.misc_
The bug is that a number of modules are imported at class scope in order
to compute paths on disk to images. I can't see any reason not to move those
imports up to module scope, which would remove the attack vector.
The attached patch against the 2.12 branch makes the reported URL result
in a 404 (as desired).