© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Hi Alex,
I reported it to <email address hidden>. To be honest though, I don't think it's going to look like a vulnerability to them. I have attached the poc that I sent them. It uses configparser to parse /dev/zero. Let's see what they say, but I think it's just going to be: "that's not a bug".
I also don't think we can blame configparser for following the symlink. I imagine it's quite common for config files to be symlinks to other locations.
I would recommend changing the code to use `read_file`, rather than `read`:
https:/
That will enable you to do validation on the file before you pass it to configparser.
Thanks,
Kev