Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The tar example here probably wouldn't work, but maybe one could be found.)
Looks like 842916dee7a4884dc7eccf102312d50575be01c1 accidentally introduced a path traversal vuln as
os.path.pathsep (":") != os.path.sep ("/")
.In det.py:
Also, since you can inject filenames with arbitrary contents, it'd be a good idea to filter the filename to disallow non-ASCII printable characters. Combined with the path traversal, it might be possible to plant a file somewhere that'd abuse globbing ("foo *") in a script somewhere and get RCE out of it. (The
tar
example here probably wouldn't work, but maybe one could be found.)