Download tries to write to subfolder

[jcaesar]

Command:

xh -d 'https://huggingface.co/rhasspy/piper-voices/resolve/v1.0.0/en/en_GB/cori/high/en_GB-cori-high.onnx.json'

xh output (parts):

content-disposition: inline; filename*=UTF-8''en%2Fen_GB%2Fcori%2Fhigh%2Fen_GB-cori-high.onnx.json; filename="en/en_GB/cori/high/en_GB-cori-high.onnx.json";

xh: error: No such file or directory (os error 2)

strace output:

openat(AT_FDCWD, "en/en_GB/cori/high/en_GB-cori-high.onnx.json", O_WRONLY|O_CREAT|O_EXCL|O_CLOEXEC, 0666) = -1 ENOENT (No such file or directory)

I haven't tested if this also respects .. or /…, but if it does, this is a minor security vulnerability (or major, if you're using xh as root…) If it doesn't, it's merely a minor nuisance and an inconsistency with httpie.

➜ xh --version
xh 0.22.0
+native-tls +rustls

(from nixpkgs-unstable)

[blyxxyz]

Thanks, this does look like a vulnerability! We originally fixed it in https://github.com/ducaale/xh/commit/028cbb0165af54123a4829162a6a00f46e8dce74#diff-da83475b6470958755f1ccfb9f3b20669e114f6d1fea5d0118a39e4e995ba125R31 but then broke it again in https://github.com/ducaale/xh/commit/330d3f2ed4e1af82ef89fefce2e6e84a8ac66330 😬

[ducaale]

This is now addressed in https://github.com/ducaale/xh/releases/tag/v0.22.2