[Twisted-Python] Security Advisory: bash remote code execution
Matt Haggard
haggardii at gmail.com
Thu Sep 25 09:09:20 MDT 2014
>
> Any web server which is serving traffic over a CGI or CGI-like interface
> (including WSGI) should upgrade its version of Bash immediately.
>
I feel ignorant, but I'm confused about how WSGI is affected (and have
failed to exploit my WSGI app). AFAICT from reading the code, Twisted's
WSGIResource doesn't invoke a shell. I see that it has an `environ`
attribute that gets filled with user-provided information, but I don't see
how that makes it into a shell's environment.
We'll patch bash anyway.
Thanks,
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20140925/92d22e38/attachment-0002.html>
More information about the Twisted-Python
mailing list