Closed jwilk closed 1 year ago
Waybackpack does not validate timestamps it receives from the Wayback Machine. If the server went rogue, it could put "../" sequences in the timestamp, tricking waybackpack into writing outside the destination directory.
Good catch, thanks! Now handled in https://github.com/jsvine/waybackpack/commit/1da86a0701f82be6914dd0eb2aa0169a964cb05f and available in v0.5.0. Though do holler if you see anything still amiss.
Waybackpack does not validate timestamps it receives from the Wayback Machine. If the server went rogue, it could put "../" sequences in the timestamp, tricking waybackpack into writing outside the destination directory.