daniel:// stenberg://May 1

We got this "HIGH security problem" reported for #curl earlier today:

"The -o / --output parameter in cURL does not restrict or sanitize file paths. When passed relative traversal sequences (e.g., ../../), cURL writes files outside the current working directory, allowing arbitrary file overwrite. In automated or privileged environments (CI/CD, root containers), this leads to Remote Code Execution (RCE), privilege escalation, and supply chain risk."

Never a dull moment.

Show threadMae
@bagder agreed that this is a bullshit vuln but also... any vuln can be used to escalate to RCE if you try hard enough to justify it
May 1 at 9:11pmWeb
Show threadMaeMay 1
@bagder any feature can be considered a security vulnerability if you are dedicated enough