Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security flaw, to be fixed in 0.56.1 and 0.57 #1360

Closed
simonw opened this issue Jun 5, 2021 · 2 comments
Closed

Security flaw, to be fixed in 0.56.1 and 0.57 #1360

simonw opened this issue Jun 5, 2021 · 2 comments
Labels
security

Comments

@simonw
Copy link
Owner

simonw commented Jun 5, 2021
edited
Loading

See security advisory here for details: GHSA-xw7c-jx9m-xh5g - the ?_trace=1 debugging option was not correctly escaping its JSON output, resulting in a reflected cross-site scripting vulnerability.
@simonw simonw added the security label Jun 5, 2021
simonw added a commit that referenced this issue Jun 5, 2021
@simonw
Correctly escape output of ?_trace, refs #1360
26fc539
simonw added a commit that referenced this issue Jun 5, 2021
@simonw
Release 0.56.1
6536e02 
Refs #1360
simonw added a commit that referenced this issue Jun 5, 2021
@simonw
Correctly escape output of ?_trace, refs #1360
8f311d6
simonw added a commit that referenced this issue Jun 5, 2021
@simonw
Release 0.57
58746d3 
Refs #263, #615, #619, #1238, #1257, #1305, #1308, #1320, #1332, #1337, #1349, #1353, #1359, #1360
@simonw simonw mentioned this issue Jun 5, 2021
Closed
@simonw
Copy link
Owner Author

simonw commented Jun 5, 2021

I've released fixes in both 0.56.1 and 0.57.

@simonw simonw closed this as completed Jun 5, 2021
@simonw
Copy link
Owner Author

simonw commented Jun 5, 2021

Worth noting that I found this issue myself, and to my knowledge it has not been uncovered by anyone else prior to the patch being released.

simonw added a commit to simonw/datasette-auth-passwords that referenced this issue Jun 5, 2021
@simonw
Release 0.4.1
0fc7a42 
Now depends on datasette>=0.56.1

Refs simonw/datasette#1360
@simonw simonw mentioned this issue Jun 6, 2021
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw