Red Hat Bugzilla – Bug 427664
CVE-2008-0252 CherryPy: Malicious cookies may allow access to files outside the session directory
Last modified: 2008-02-14 06:06:38 EST
In October, a security hole in CherryPy was found, see
http://www.cherrypy.org/ticket/744 for a detailed description and patches.
In EPEL 5, the latest CherryPy version is 2.2.1-6.el5 which does not contain the
Created attachment 290919 [details]
Backported fix attached. I'll give it some brief testing. Luke, should we push
this directly to EPEL stable or do we want to push it to EL testing first?
Also, we should update the main CherryPy to CP3.x and create a
python-cherrypy2-2.x package just for turbogears before it gets too late in the
devel cycle for Fedora-9 as that will limit the impact of these bugs.
The patch looks fine, has been applied upstream, and doesn't seem to cause any
blatant regressions. I'd be fine with pushing this directly to stable.
I agree, we should definitely split them out into separate packages.
Packages built and requested for pushing to stable on EL-4, EL-5, F-7, and F-8.
python-cherrypy-2.2.1-8.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
python-cherrypy-2.2.1-8.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
CVE id CVE-2008-0252 was assigned to this issue:
Directory traversal vulnerability in the _get_file_path function in
(1) lib/sessions.py in CherryPy 3.0.x up to 3.0.2, (2)
filter/sessionfilter.py in CherryPy 2.1, and (3)
filter/sessionfilter.py in CherryPy 2.x allows remote attackers to
create or delete arbitrary files, and possibly read and write portions
of arbitrary files, via a crafted session id in a cookie.
Patch from http://www.cherrypy.org/changeset/1775 has been applied to F7, F8,
rawhide, EL-4, and EL-5 packages. It is in the stable repository for each
The patch is broken. It uses an undefined variable, fiePath. When used with
sessions in TurboGears it throws an exception every time. Here is the tail end
of the python stack trace:
line 448, in __getattr__
data = sess.session_storage.load(sess.session_id)
line 268, in load
file_path = self._get_file_path(id)
line 329, in _get_file_path
if not os.path.normpath(filePath).startswith(storagePath):
NameError: global name 'filePath' is not defined
New bug reports are appreciated. That way we can track which versions bugs are
This second issue has been fixed in 2.2.1-10 for EL-4/EL-5. Fedora 7 and 8 are
already on 2.3.0 so they don't have this patch applied.