Hi all, another LTS release is available:
https://github.com/unbit/uwsgi-docs/blob/master/Changelog-2.0.17.rst it includes an optimization for the Emperor as well as a security improvement in the PHP plugin. This bug/security issue has been reported by Marios Nicolaides weeks ago, but required lot of internal discussions as its fix involved a change in the default behaviour of an LTS release. The main problem was that the fix changes the way the --php-docroot option works (without the patch and without specifying which php extensions are allowed [that every sysadmin should configure !!!], a malicious user could traverse the document root and show a file out of it). After a bunch of discussions we decided to make the option consistent with the other plugins (like static file serving) where the DOCUMENT_ROOT is checked multiple times for escaping attempts. Marios will write a detailed blog post about it. Many thanks to him. -- Roberto De Ioris http://unbit.com _______________________________________________ uWSGI mailing list uWSGI@lists.unbit.it http://lists.unbit.it/cgi-bin/mailman/listinfo/uwsgi
