Skip to content

v0.4.1

Latest
Latest
Compare
Choose a tag to compare
@cyphar cyphar released this 28 Jan 08:30
· 2 commits to main since this release
v0.4.1
This tag was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.
7abd870
This commit was signed with the committer’s verified signature.
cyphar Aleksa Sarai
GPG key ID: 2897FAD2B7E9446F
Verified
Learn about vigilant mode.

This release fixes a regression introduced in one of the hardening
features added to filepath-securejoin 0.4.0.

  • The restrictions added for root paths passed to SecureJoin in 0.4.0 was
    found to be too strict and caused some regressions when folks tried to
    update, so this restriction has been relaxed to only return an error if the
    path contains a .. component. We still recommend users use filepath.Clean
    (and even filepath.EvalSymlinks) on the root path they are using, but at
    least you will no longer be punished for "trivial" unclean paths. (#46)

Signed-off-by: Aleksa Sarai [email protected]

Assets 2
Loading