You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The tar example here probably wouldn't work, but maybe one could be found.)
The text was updated successfully, but these errors were encountered:
Looks like 842916d accidentally introduced a path traversal vuln as
os.path.pathsep (":") != os.path.sep ("/").In det.py:
Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The
tarexample here probably wouldn't work, but maybe one could be found.)The text was updated successfully, but these errors were encountered: