devel/ipython -- remote execution

2015-06-22T00:00:00
ID A4460AC7-192C-11E5-9C01-BCAEC55BE5E5
Type freebsd
Reporter FreeBSD
Modified 2015-06-22T00:00:00

Description

Kyle Kelley reports:

Summary: JSON error responses from the IPython notebook REST API contained URL parameters and were incorrectly reported as text/html instead of application/json. The error messages included some of these URL params, resulting in a cross site scripting attack. This affects users on Mozilla Firefox but not Chromium/Google Chrome. API paths with issues:

/api/contents (3.0-3.1) /api/notebooks (2.0-2.4, 3.0-3.1)