Source: onionshare Version: 2.6.3-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi >From >https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5-22mf > OnionShare CLI/Desktop 2.6.3 can follow symbolic links inside a > selected Share or Website directory and serve the symlink target > rather than limiting access to files physically contained in the > selected directory. If a user shares a directory that contains > attacker-supplied or otherwise untrusted symlinks, a remote recipient > with access to the OnionShare service can read arbitrary local files > readable by the OnionShare process that the symlink points to. > > This affects the shipped onionshare-cli Python package and the desktop > application because both call the same onionshare_cli.web > file-indexing and streaming code. Regards, Salvatore
