`goreleaser release -debug` log shows secret values used in the in the custom publisher. GoReleaser builds Go binaries for several platforms, creates a GitHub release and then pushes a Homebrew formula to a tap repository. discourse-group-membership-ip-block was sending all group custom fields to the client, including group custom fields from other plugins which may expect their custom fields to remain secret. This vulnerability has been patched in version 0.109.0.ĭiscourse-group-membership-ip-block is a discourse plugin that adds support for adding users to groups based on their IP address. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This means that process can't handle any more requests. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |