probonopd
commented
4 years ago Thank you very much @TheAssassin.
Closed TheAssassin closed 4 years ago
probonopd
commented
4 years ago Thank you very much @TheAssassin.
carnil
commented
3 years ago This pull request seems to relate to CVE-2020-25265 and CVE-2020-25266.
TheAssassin
commented
3 years ago It does.
This PR introduces a simple string sanitizer into the codebase. It's used to sanitize some strings which are intended to be embedded in filenames the library calculates. Before, there was a chance for malicious files to generate files with arbitrary filenames. This is no longer possible, as all "dangerous" characters are now just replaced by a safe one.