Thanks. I'm assuming, based on nothing but my own judgement, that users don't often expose their beets library externally using this web UI. Even if they do, this vulnerability is not very practical for attackers to exploit as they should poison a library with malicious code in music metadata fields. Or something.
Therefore, I think this is a low risk vulnerability. Upstream reports this is fixed in their commit https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a I will update the package to 2.10 in unstable with DD sponsorship from the python team. I will try to prepare stable updates for bullseye to trixie in branches in salsa. I will try to backport this commit and provide a test confirming proper escaping of field input. I'm not a DD, so I do not have upload access. I propose I work on the above and report on my progress here. I think I will need a couple of days, maybe until the end of the weekend to propose fixes. Please jump in if any of the above does not sound okay. Thanks, Pieter
signature.asc
Description: PGP signature
