Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aura: Sanitize filenames in image IDs #4160

Merged
merged 2 commits into from
Nov 26, 2021
Merged

aura: Sanitize filenames in image IDs #4160

merged 2 commits into from
Nov 26, 2021

Commits on Nov 26, 2021

  1. aura: Sanitize filenames in image IDs

    When constructing paths to image files to serve, we previously spliced
    strings from URL requests directly into the path to be opened. This is
    theoretically worrisome because it could allow clients to read other
    files that they are not supposed to read.
    
    I'm not actually sure this is a real security problem because Flask's
    URL parsing should probably rule out IDs that have `/` in them anyway.
    But out of an abundance of caution, this now prevents paths from showing
    up in IDs at all---and also prevents `.` and `..` from being valid
    names.
    sampsyo committed Nov 26, 2021
    Configuration menu
    Copy the full SHA
    1fad3d0 View commit details
    Browse the repository at this point in the history
  2. Changelog for #4160

    sampsyo committed Nov 26, 2021
    Configuration menu
    Copy the full SHA
    4e69209 View commit details
    Browse the repository at this point in the history