CVE request: Python Bottle JSON content-type not restrictive enough

[Murray McAllister <mmcallis () redhat com>]

Hi,

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746322 and 
https://github.com/defnull/bottle/issues/616 report an issue where 
Bottle treated "text/plain;application/json" as JSON, allowing security 
mechanisms to be bypassed.

From the upstream report, "For example Chrome will not allow 
cross-origin xmlhttprequests with the content type set to 
"application/json" but you can set it to "text/plain;application/json" 
instead and bottle will accept it."

Can a CVE please be assigned if one has not been already?

Thanks,

--
Murray McAllister / Red Hat Security Response Team

https://bugzilla.redhat.com/show_bug.cgi?id=1093255