Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
This repository was archived by the owner on Aug 5, 2020. It is now read-only.
/wxpyPublic archive

Replaced vulnerable functions and outdated dependencies#273

Open
bugrevelio wants to merge1 commit intoyoufou:master
base:master
Choose a base branch
Loading
frombugrevelio:master

Conversation

bugrevelio
Copy link

Potential vulnerability risks were detected in your dependencies and used functions.
Some vulnerabilities have been replaced by safe alternatives.

Vulnerable Functions

puid_map.py:143:76: pickle.load

  • Reason: Untrusted input can result in arbitrary code execution.
  • Severity: warning

xiaoi.py:66:15: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

xiaoi.py:68:15: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

xiaoi.py:71:20: hashlib.sha1

  • Reason: Attacks can find collisions in the full version of SHA-1.
  • Replacement: hashlib.sha512()
  • Severity: critical

Vulnerable Dependencies

Some versions of dependencies used in the project might pose security threads. Please make sure to inform users to use safe versions.

DependencyVulnerable VersionsReason
setuptools<0.9.5setuptools 0.9.5 fixes a security vulnerability in SSL certificate validation.
setuptools<1.3setuptools before 1.3 has a security vulnerability in SSL match_hostname check as reported in Python 17997.
setuptools<3.0setuptools 3.0 avoids the potential security vulnerabilities presented by use of tar archives in ez_setup.py. It also leverages the security features added to ZipFile.extract in Python 2.7.4.
requests<2.3.0requests before 2.3.0 exposes Authorization or Proxy-Authorization headers on redirect. FixCVE-2014-1829 andCVE-2014-1830 respectively
requests<2.6.0requests 2.6.0 fixes handling of cookies on redirect. Previously a cookie without a host value set would use the hostname for the redirected URL exposing requests users to session fixation attacks and potentially cookie stealing.
requests>=2.1,<=2.5.3The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.

Source:Safety

Test Report

No tests found or tests could not be executed

This tool was developed as part of a Software Engineering course. The intention is to make project maintainers aware of potential vulnerabilities. If you have feedback then please reply to this pull-request. Thank you!

ZhiyuanChen pushed a commit to ZhiyuanChen/openwc that referenced this pull requestAug 25, 2019
Sign up for freeto subscribe to this conversation on GitHub. Already have an account?Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

1 participant
@bugrevelio
[8]ページ先頭
©2009-2025 Movatter.jp