New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent directory traversal in server-supplied filenames #379

Merged

ducaale merged 1 commit into ducaale:hotfix/v0.22.0-re-fix-download-path-escape from blyxxyz:re-fix-download-path-escape

Jul 8, 2024

Commits on Jul 8, 2024

Prevent directory traversal in server-supplied filenames
```
If the `Content-Disposition` header includes directory
separators (e.g. `/`) then we now only take the base
filename. Including the directories is a vulnerability.

Originally fixed in 028cbb0 but then
broken again in 330d3f2. This time I
added a regression test.
```
blyxxyz committed Jul 8, 2024
Configuration menu
View commit details

Copy full SHA for 841f9c2

Browse repository at this point
Copy the full SHA

841f9c2 View commit details

Browse the repository at this point in the history