daniel:// stenberg://
We got this "HIGH security problem" in #curl earlier today:
"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."
Never a dull moment.
daniel:// stenberg://
Same user followed up with a second severity HIGH security problem.
"The --capath option in cURL and CURLOPT_CAPATH in libcurl accept any directory path without validation. If an attacker provides a custom CA path containing a fake root certificate, cURL will trust malicious HTTPS endpoints signed with that fake root."
I'm fortunate to get to work with the best people 🤠
daniel:// stenberg://
@sergiotarxz sounds like working as intended
Sergio 🏳️⚧️ 🏳️🌈 :flagBi:
@bagder Sounds like a somebody else problem.
Haelwenn /элвэн/ :triskell:
daniel:// stenberg://
Both these reports might be AI slop but we can't be sure - they lack some of the most obvious giveaways. People can be stupid without AI as well.
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.