On Windows, a URI using backslash traversal (e.g. ....\ secret.txt) bypasses the directory traversal check in Template.init and the posixpath-based normalization in TemplateLookup.get_template(), allowing reads of files outside the configured template directory.
TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations: Template.init strips one leading / using if/slice TemplateLookup.get_template() strips all leading / using re.sub(r"^/+", "") When a URI like //../../../../etc/passwd is passed: get_template() strips all / → ../../../../etc/passwd → file found via posixpath.join(dir_, u) Template.init strips one / → /../../../../etc/passwd → normpath → /etc/passwd /etc/passwd.startswith(..) → …
TemplateLookup.get_template() is vulnerable to path traversal when a URI starts with // (e.g., //../../../secret.txt). The root cause is an inconsistency between two slash-stripping implementations: Template.init strips one leading / using if/slice TemplateLookup.get_template() strips all leading / using re.sub(r"^/+", "") When a URI like //../../../../etc/passwd is passed: get_template() strips all / → ../../../../etc/passwd → file found via posixpath.join(dir_, u) Template.init strips one / → /../../../../etc/passwd → normpath → /etc/passwd /etc/passwd.startswith(..) → …
Sqlalchemy mako before 1.2.2 is vulnerable to Regular expression Denial of Service when using the Lexer class to parse. This also affects babelplugin and linguaplugin.
Mako before 0.3.4 relies on the cgi.escape function in the Python standard library for cross-site scripting (XSS) protection, which makes it easier for remote attackers to conduct XSS attacks via vectors involving single-quote characters and a JavaScript onLoad event handler for a BODY element.