Masonite Documentation
v2.2 LTS
v2.2 LTS
  • Introduction and Installation
  • Creating a Blog
  • Prologue
    • Contributing Guide
    • How To Contribute
    • Release Cycle
    • Known Installation Issues
    • Deprecation
  • What's New
    • Masonite 1.3
    • Masonite 1.4
    • Masonite 1.5
    • Masonite 1.6
    • Masonite 2.0
    • Masonite 2.1
    • Masonite 2.2
  • Upgrade Guide
    • Masonite 1.3 to 1.4
    • Masonite 1.4 to 1.5
    • Masonite 1.5 to 1.6
    • Masonite 1.6 to 2.0
    • Masonite 2.0 to 2.1
    • Masonite 2.1 to 2.2
  • The Basics
    • Controllers
    • Helper Functions
    • Requests
    • Routing
    • Static Files
    • Views
  • The Craft Command
    • Introduction
    • Creating Commands
  • Architectural Concepts
    • Request Lifecycle
    • Service Container
    • Service Providers
  • Advanced
    • Autoloading
    • Creating a Mail Driver
    • Creating Packages
    • Database Seeding
    • Extending Classes
    • Middleware
    • Responses
    • Sessions
    • Status Codes
    • Validation
  • Useful Features
    • Broadcasting
    • Caching
    • Compiling Assets
    • Environments
    • Events
    • Framework Hooks
    • Mail
    • Queues and Jobs
    • Task Scheduling
    • Testing
    • Selenium Testing
    • Template Caching
    • Uploading
    • View Composers, Sharing and Filters
  • Security
    • Authentication
    • CSRF Protection
    • Encryption
    • Headers
    • Releases
  • Orator ORM
    • Database Migrations
    • Basic Usage
    • Collections
    • ORM
    • Pagination
    • Query Builder
    • Schema Builder
  • Managers and Drivers
    • About Drivers
    • About Managers
    • Contracts
  • Official Packages
    • Masonite API
    • Masonite Billing
    • Masonite Logging
    • Masonite Notifications
  • Masonite Essentials
    • Hash ID's
  • Tutorials
    • Creating a Blog
  • How-to Guides
    • Build Email Verification from Scratch With Masonite Framework and JSON Web Tokens
    • Deploying a Masonite Application to Heroku
    • How To Deploy Masonite to PythonAnywhere
    • How-To: Use RabbitMQ with Masonite 2.0 queues
    • How To Use The Repository Pattern with Masonite
    • Making Masonite and Laravel Mix work together
  • Deployment
    • Drivers
    • Optimization
Powered by GitBook
On this page
  • Introduction
  • 2.1.2
  • Issue
  • Fix
  • Patch
Edit on Git
Export as PDF
  1. Security

Releases

Introduction

Masonite takes security seriously and wants full transparency with security vulnerabilities so we document each security release in detail and how to patch or fix it.

2.1.2

Issue

There were 2 issues involved with this release. The first is that input data was not being properly sanitized so there was an XSS vulnerability if the developer returned this directly back from a controller.

Another issue was that there were no filters on what could be uploaded with the upload feature. The disk driver would allow any file types to be uploaded to include exe, jar files, app files etc.

There was no reported exploitation of this. These were both proactively caught through analyzing code and possible vulnerabilities.

Fix

The fix for the input issue was simply to just escape the input before it is stored in the request dictionary. We used the html core module that ships with Python and created a helper function to be used elsewhere.

The fix to the second issue of file types was to limit all uploads to images unless explicitly stated otherwise through the use of the accept method.

Patch

The patch for this is to simply upgrade to 2.1.3 and explicitly state which file types you need to upload if they are not images like so:

def show(self, upload: Upload):
    upload.accept('exe', 'jar').store('...')

Those choices to accept those files should be limited and up to the developer building the application sparingly.

PreviousHeadersNextDatabase Migrations

Last updated 6 years ago