Important TurboGears 1.x Security Notice
Most TurboGears users are not effected, but all TurboGears users who have explicitly added CherryPy based sessions to their application are subject to an important security vulnerability.
Malicious users could create a specially crafted cookie that could delete files beginning with your SESSION_PREFIX from your file system, add new files with that prefix, or overwrite files with the same prefix with arbitrary pickled python objects.
All such users can re-secure their system by updating to CherryPy 2.3.0.
Again, most TurboGears users are not vulnerable to this issue, and do not need to update their systems, you are only vulnerable if you have specifically enabled sessions with:
sessionFilter.on = True
in your configuration file.
You can also search for calls to cherrypy.session in your application. If you find either of these things in your application you are potentially vulnerable, and should test your application with 2.3.0 which should be backwards compatible with your existing turbogears app.
The easiest way to secure your application is to easy-install it via:
easy_install -UZ "Cherrypy==2.3.0"
You can use the “tg-admin info” to check what version of CherryPy you currently have installed. Please do this before you attempt to update, so that if anything goes wrong you can rollback to your earlier version of CherryPy with:
easy_install "CherryPy==YourVersion"
Once the update is complete, be sure to use the tg-admin info command again to verify that you are in fact using 2.3.0, and don’t forget to restart your server.
We have released new versions of TurboGears, with this updated dependency. So, you can also upgrade TurboGears to 1.0.3.3 (the most recent stable version), or 1.0.4b5 (the most recent beta), and all new TurboGears installs will not be vulnerable, even if they do turn on cherrypy.session.
Is there a turbogears-security mailing list that people can subscribe to for timely announcements like this?