Hi all, I've just pushed a new version of the filebrowser-safe package Mezzanine uses for its media library which addresses a minor security issue. You can upgrade it right away via "pip install -U filebrowser-safe", or by updating your requirements file accordingly.
The issue is that certain parent path traversals were not being checked (eg "foo/../bar"), and if the MEDIA_ROOT setting is contained under the STATIC_ROOT setting, (eg www.site.com/static/media), as is the default for Mezzanine, an authenticated admin user could rename/delete files that were under STATIC_ROOT, but not under MEDIA_ROOT. While this issue is regarded as minor, as its only exploitable by authenticated staff members, and limited to files found under STATIC_ROOT, you should upgrade as soon as possible. There aren't any expected compatibility issues in doing so. Big thanks to Pieter Rogaar for reporting the issue privately. As usual, if you think you may have discovered a possible security issue like this, please report it privately to secur...@jupo.org to allow it to be resolved before being made public. Now also serves as a good time to remind everyone about the private mezzanine-security announcement mailing list. Any critical issues (unlike this one) will be made available there with upgrade instructions prior to the issue being made public, giving site owners a chance to upgrade before the issue is made public. Please subscribe if you have a production Mezzanine site, which you'll need to provide details of before subscribing: https://groups.google.com/forum/#!forum/mezzanine-security Thanks -- Stephen McDonald http://jupo.org -- You received this message because you are subscribed to the Google Groups "Mezzanine Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to mezzanine-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.