Werkzeug 0.15.5 has been released, containing bug and security fixes. The changelog lists the changes in detail, which include:
SharedDataMiddlewaresafely handles drive names in paths on Windows.
Exec format errorin many common situations.
Prior to 0.15.5, it was possible for a third party to potentially access
arbitrary files when the application used
Windows. This issue was assigned CVE-2019-14322.
Due to the way Python's
os.path.join() function works on Windows, a
path segment with a drive name will change the drive of the final path.
This was previously addressed in the
safe_join() function in
Werkzeug 0.12.2, but
SharedDataMiddleware used a separate
implementation and so was not secured by the previous fix.
SharedDataMiddlware now uses
safe_join() when fetching requested
files. Projects using
SharedDataMiddleware on Windows should update
as soon as possible to receive the fix.
Thank you to Emre Övünç and Olivier Dony for responsibly reporting the issue. If you think you have discovered a security issue in Werkzeug or another of the Pallets projects, please email [email protected] with details.
Install from PyPI with pip:
pip install -U Werkzeug