Hi everyone, the following patch (available for both 2.0 and 2.1) fixes a potential security vulnerability reported yesterday:
https://github.com/unbit/uwsgi/commit/cb4636f7c0af2e97a4eef7a3cdcbd85a71247bfe Any modern system should not be vulnerable thanks to out-of-the-box protections like stack canary and friends. (basically if you pass a path bigger than PATH_MAX, uWSGI will crash or will trigger a stack corruption exception) Albeit using it for some kind of useful attack seems very improbable, the new approach is way more robust than the previous one as it checks for the path size before calling realpath() too. -- Roberto De Ioris http://unbit.com _______________________________________________ uWSGI mailing list uWSGI@lists.unbit.it http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
