Closed gagyn closed 1 year ago
is very wrong...
It is potentially writing unencrypted PII to a temp path. Whether or not it is the cause of this issue it should be reverted asap as a security vulnerability.
In the event that this library is being used in an environment where something else has access to the file system, unrelated parties could gain access to sensitive information related to an authorized individual.
edit: even worse, it leaves the files around in the temp folder even after the application exits, filling up the drive.
Thanks for these reports. Our team will be engaged in evaluating the issues mentioned here.
Thanks! It would be nice to have it sorted soon 🙂 Can you also please look into my PR? :)
Hi, yes our team will also take a look at your PR; thanks for your contribution.
Just a quick update, our team has included potential fixes for both of these issues in the next release. I don't yet have an ETA on that release at this time though.
Hello guys!
Any updates on the release date of the updated library?
Hi @skyflyer - v6.1.0 was released today and should contain a fix for the issue.
@kenharris thanks for the update!
I'm downloading file using method:
Then I'm saving the stream on my disk.
But when I try to open this freshly saved file, I'm getting an error (tried to open it with Edge browser and Acrobat Reader - both we same result). The PDF file is probably broken.
The code on my side is correct I believe, because when I install the older version of DocuSign nuget package (5.12.0) everything is fine.
Here are two files, one saved using newest package, and second saved using 5.12.0 (take a look on the difference in size - both comes from the same envelope and same document):
I tried to spot the bug in code, but didn't have time to debug it, so I just guess that it can be somewhere here in DocuSignClient class:
As previous version was just returning MemoryStream: