Open lvf233 opened 3 years ago
Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.
Yes, script running is the fundamental of this project. There's a warning on readme that you can setup auth to the task page.
yeah , most people still start pyspider with the default configuration, could force the modification of this default setting ? meanwhile, we also designed such a scene, which is opened in the case of only allowing localhost to access, while supporting JavaScript (using other components for rendering). We use the CSRF method to request the local pyspider to achieve the same effect.
🐛 Bug Report
Script content needs security check which could cause RCE
To Reproduce
Expected behavior
the server will execute code what you set(it run with a calc.exe that i set to prove this vuln).
Test script or set of commands reproducing this issue
post this task as follow to server.
Environment
pyspider v0.3.10 system ubuntu 18.04 & windows 10 version1909