Source: onionshare Version: 2.6.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi https://github.com/onionshare/onionshare/security/advisories/GHSA-v833-3823-cmhp > OnionShare CLI/Desktop 2.6.3 does not enforce the Receive mode > disable_files setting at the file upload sink. When a Receive service > is configured as a text-message-only endpoint (--disable-files / > "Disable uploading files"), a remote sender who can reach the > OnionShare service can still send a crafted multipart request > containing file[]; OnionShare writes the uploaded bytes to disk before > the route handler skips file accounting. > > This affects the shipped onionshare-cli Python package and the desktop > application because both use the same onionshare_cli.web.receive_mode > request-streaming implementation. Regards, Salvatore
