Show Navigation

Public
- Public
- Network
- Groups
- Popular
- People

Conversation

Notices

Tek dba Tek (tek@freeradical.zone)'s status on Tuesday, 28-Aug-2018 19:57:02 EDT Tek dba Tek

Use Flask? Update it, like *now*:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1000656
- https://github.com/pallets/flask/pull/2691/files
If I'm reading this right, you can use an encoding mismatch to trick the JSON decoder into interpreting escaped quotes, etc, as actual punctuation. Think SQL injection, where the JSON decoder is the database engine. Now imagine someone sends:
`name = 'foo", \'is_root\': True, \'junk\': "'`
or similar, and instead of changing their name, you give them root access.
In conversation Tuesday, 28-Aug-2018 19:57:02 EDT from freeradical.zone permalink
Attachments
1. detect UTF encodings when loading json by davidism · Pull Request #2691 · pallets/flask
  
  from GitHub
  
  request.get_json no longer accepts arbitrary encodings. Incoming JSON must be encoded using a UTF-8, -16, or -32 codec. The current JSON spec says UTF-8 is the only valid encoding, although Flask i...

Jonkman Microblog is a social network, courtesy of SOBAC Microcomputer Services. It runs on GNU social, version 1.2.0-beta5, available under the GNU Affero General Public License.

All Jonkman Microblog content and data are available under the Creative Commons Attribution 3.0 license.

Switch to desktop site layout.