Closed jcaesar closed 2 months ago
Thanks, this does look like a vulnerability! We originally fixed it in https://github.com/ducaale/xh/commit/028cbb0165af54123a4829162a6a00f46e8dce74#diff-da83475b6470958755f1ccfb9f3b20669e114f6d1fea5d0118a39e4e995ba125R31 but then broke it again in https://github.com/ducaale/xh/commit/330d3f2ed4e1af82ef89fefce2e6e84a8ac66330 😬
This is now addressed in https://github.com/ducaale/xh/releases/tag/v0.22.2
Command:
xh output (parts):
strace output:
I haven't tested if this also respects
..
or/…
, but if it does, this is a minor security vulnerability (or major, if you're using xh as root…) If it doesn't, it's merely a minor nuisance and an inconsistency with httpie.(from nixpkgs-unstable)