Hi,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and
https://github.com/defnull/bottle/issues/616 report an issue where
Bottle treated "text/plain;application/json" as JSON, allowing security
mechanisms to be bypassed.
From the upstream report, "For example Chrome will not allow
cross-origin xmlhttprequests with the content type set to
"application/json" but you can set it to "text/plain;application/json"
instead and bottle will accept it."
Can a CVE please be assigned if one has not been already?
Thanks,
--
Murray McAllister / Red Hat Security Response Team
https://bugzilla.redhat.com/show_bug.cgi?id=1093255
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
