Werkzeug 0.15.5 has been released, containing bug and security fixes. The changelog lists the changes in detail, which include:
SharedDataMiddleware
safely handles drive names in paths on Windows.Exec format error
in many common
situations.SharedDataMiddleware
on WindowsPrior to 0.15.5, it was possible for a third party to potentially access
arbitrary files when the application used SharedDataMiddleware
on
Windows. This issue was assigned CVE-2019-14322.
Due to the way Python's os.path.join()
function works on Windows, a
path segment with a drive name will change the drive of the final path.
This was previously addressed in the safe_join()
function in
Werkzeug 0.12.2, but SharedDataMiddleware
used a separate
implementation and so was not secured by the previous fix.
SharedDataMiddlware
now uses safe_join()
when fetching requested
files. Projects using SharedDataMiddleware
on Windows should update
as soon as possible to receive the fix.
Thank you to Emre Övünç and Olivier Dony for responsibly reporting the issue. If you think you have discovered a security issue in Werkzeug or another of the Pallets projects, please email [email protected] with details.
Install from PyPI with pip:
pip install -U Werkzeug