Greetings, A vulnerability was recently discovered regarding the jetforce server. There was a bug in the code that allowed maliciously crafted URLs to break out of the root directory and serve files from elsewhere on the filesystem [1]. I have fixed the issue and have uploaded a new release v0.2.3 to PyPI and Github [2][3]. This is a bugfix-only release and does not contain any other breaking changes. I now consider all versions < v0.2.3 to be insecure. If you are running jetforce, I strongly urge you to upgrade to the latest version as soon as possible. Best, Michael [1] https://github.com/michael-lazar/jetforce/issues/24 [2] https://github.com/michael-lazar/jetforce/releases/tag/v0.2.3 [3] https://pypi.org/project/Jetforce/0.2.3/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.orbitalfox.eu/archives/gemini/attachments/20200525/6ce1 7ffc/attachment.htm>
---