View Issue Details [ Jump to Notes ]

[ Print ]

Project

Category

View Status

Date Submitted

Last Update

0014022

ParaView

(No Category)

public

2013-04-18 15:05

2016-08-12 09:59

Reporter

Zach Mullen

Assigned To

Kitware Robot

Priority

normal

Severity

minor

Reproducibility

have not tried

Status

closed

Resolution

moved

Platform

OS Version

Product Version

3.98.1

Target Version

Fixed in Version

Summary

0014022: ParaViewWeb security bug: unexpected static content behavior

Description

When I start up my ParaViewWeb application without passing any "--content" argument, my expectation is that it won't serve any static content at all. However, it is actually serving all of the static content under whatever the working directory was that I invoked python in, and I didn't realize it was doing this until I looked at the code in web.py. A user could easily accidentally be serving up portions of their filesystem that they don't want to be serving.

I propose we change the behavior to: if no --content arg is passed, then no static content is served at all.

Tags

No tags attached.

Project

TBD

Topic Name

Type

incorrect functionality

Attached Files

Relationships

Notes
(0038385) Kitware Robot (administrator) 2016-08-12 09:59	Resolving issue as `moved`. This issue tracker is no longer used. Further discussion of this issue may take place in the current ParaView Issues page linked in the banner at the top of this page.

Issue History
Date Modified	Username	Field	Change
2013-04-18 15:05	Zach Mullen	New Issue
2016-08-12 09:59	Kitware Robot	Note Added: 0038385
2016-08-12 09:59	Kitware Robot	Status	backlog => closed
2016-08-12 09:59	Kitware Robot	Resolution	open => moved
2016-08-12 09:59	Kitware Robot	Assigned To	=> Kitware Robot