LucaCinquini
commented
7 years ago Fixed by validating the filepath before reading the file: o Make sure that the filename in the filepath is exactly what's expected (i.e. files with other names cannot be read) o Make sure the filepath does not contain "." (to prevent directory traversal)
murphysj
Who: NOAA security scan
The CoG code reads configuration files whose location is specified in cog_settings.py. If a malicious attacker has access to that configuration file, the code would be tricked into reading arbitrary files.