On Sep 25, 2014, at 8:09 AM, Matt Haggard <haggar...@gmail.com> wrote:
> > > > Any web server which is serving traffic over a CGI or CGI-like interface > > (including WSGI) should upgrade its version of Bash immediately. > > > > I feel ignorant, but I'm confused about how WSGI is affected (and have failed > to exploit my WSGI app). AFAICT from reading the code, Twisted's > WSGIResource doesn't invoke a shell. I see that it has an `environ` > attribute that gets filled with user-provided information, but I don't see > how that makes it into a shell's environment. As Alex's post said, this vulnerability does not affect Twisted directly. The point is that most people deploying web services are doing so in a UNIX environment, and in so doing they are probably invoking scripts of various kinds, or executables which may have been replaced with wrapper shell-scripts. It's hard to audit for environment variables containing attacker-controlled data, and this is the sort of thing we've all been trained to expect is safe, if they're variables in our own "namespace", so it's possible that any number of 3rd-party tools you are using with Twisted are vulnerable in surprising ways. So everybody should just upgrade :). -glyph
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
