LOADING…
0%
Complete changelog

Commit

Sanitize zip entry paths in purchase download grants

Commit details

Commit notes

Creator-controlled folder paths and display names were written into zip entries unvalidated, so a malicious pack could produce archive entries like ../../etc/passwd. Add sanitizeZipFileName/sanitizeZipFolderPath (strip traversal segments, path separators, control chars, reserved chars; cap depth and length) with unit tests, and apply them in the download-grant zip builder.

[private session redacted]

Files changed
3
Lines added
+104
Lines removed
−3
This page is a permanent record of commit 0e5f3f6b.