From 8276d6dd76ba3ea7843e76ee2aa1a178082d399e Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Fri, 30 Sep 2022 17:12:47 -0700 Subject: [PATCH 1/6] updating security doc so users use at least 5.1.1 of Tornado --- docs/security.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/security.md b/docs/security.md index a9bd5b3e..7e80435e 100755 --- a/docs/security.md +++ b/docs/security.md @@ -17,3 +17,5 @@ you may want to consider the following as you use TabPy: - Execution of ad-hoc Python scripts can be disabled by turning off the /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE" to false in config file. +- The Python module for Tornado needs to be at least version 5.1.1. Using an earlier + version than this can leave scripts vulnerable to malicious attacks. \ No newline at end of file From 116253964130e0be8309eff67a1ae7a937bc1ee8 Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Mon, 3 Oct 2022 09:23:50 -0700 Subject: [PATCH 2/6] changed tornado to python in sec doc --- docs/security.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/security.md b/docs/security.md index 7e80435e..84d8669f 100755 --- a/docs/security.md +++ b/docs/security.md @@ -17,5 +17,4 @@ you may want to consider the following as you use TabPy: - Execution of ad-hoc Python scripts can be disabled by turning off the /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE" to false in config file. -- The Python module for Tornado needs to be at least version 5.1.1. Using an earlier - version than this can leave scripts vulnerable to malicious attacks. \ No newline at end of file +- Always use the most up-to-date version of Python. Using earlier versions can leave scripts vulnerable to malicious attacks. \ No newline at end of file From 7b998ae100b494e85ed457ccb3d466dc393c9dc2 Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Mon, 3 Oct 2022 09:32:56 -0700 Subject: [PATCH 3/6] linter was complaining --- docs/security.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/security.md b/docs/security.md index 84d8669f..93461d65 100755 --- a/docs/security.md +++ b/docs/security.md @@ -17,4 +17,6 @@ you may want to consider the following as you use TabPy: - Execution of ad-hoc Python scripts can be disabled by turning off the /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE" to false in config file. -- Always use the most up-to-date version of Python. Using earlier versions can leave scripts vulnerable to malicious attacks. \ No newline at end of file +- Always use the most up-to-date version of Python. + Using earlier versions can leave scripts vulnerable to malicious attacks. + \ No newline at end of file From 7f3b4c4da33960dcc3eb1065b79cef5a3a6f841a Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Mon, 3 Oct 2022 09:35:48 -0700 Subject: [PATCH 4/6] linter was complaining --- docs/security.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/security.md b/docs/security.md index 93461d65..f0dd3a0d 100755 --- a/docs/security.md +++ b/docs/security.md @@ -17,6 +17,5 @@ you may want to consider the following as you use TabPy: - Execution of ad-hoc Python scripts can be disabled by turning off the /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE" to false in config file. -- Always use the most up-to-date version of Python. +- Always use the most up-to-date version of Python. Using earlier versions can leave scripts vulnerable to malicious attacks. - \ No newline at end of file From b43d8cfc8c7a5b3e36060ec5e5cae2d36507028b Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Mon, 3 Oct 2022 11:46:26 -0700 Subject: [PATCH 5/6] more detail added --- docs/security.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/security.md b/docs/security.md index f0dd3a0d..681f91d2 100755 --- a/docs/security.md +++ b/docs/security.md @@ -18,4 +18,6 @@ you may want to consider the following as you use TabPy: /evaluate endpoint. To disable /evaluate endpoint, set "TABPY_EVALUATE_ENABLE" to false in config file. - Always use the most up-to-date version of Python. - Using earlier versions can leave scripts vulnerable to malicious attacks. + TabPy relies on Tornado and if older verions of Python are used with Tornado + then malicious users can potentially poison python server web caches + with parameter cloaking. From 0b753fb4891e103d9693c016bbfe228f03de3663 Mon Sep 17 00:00:00 2001 From: Daniel Leskosky <dleskosky@salesforce.com> Date: Mon, 3 Oct 2022 12:59:23 -0700 Subject: [PATCH 6/6] fixed typo --- docs/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/security.md b/docs/security.md index 681f91d2..9afcfd4e 100755 --- a/docs/security.md +++ b/docs/security.md @@ -19,5 +19,5 @@ you may want to consider the following as you use TabPy: to false in config file. - Always use the most up-to-date version of Python. TabPy relies on Tornado and if older verions of Python are used with Tornado - then malicious users can potentially poison python server web caches + then malicious users can potentially poison Python server web caches with parameter cloaking.