rmannibucau commented on PR #12: URL: https://github.com/apache/geronimo-batchee/pull/12#issuecomment-1319639612
Well there is no discussion yet - and to be honest "anywhere" does not mean "downloaded from a random source" but literally "put by an user there". So BatchEE does not take into account the zip creation of the zip it extracts but it must be put intentionally by end user there so if it is insecure the user intentionally put an insecure zip, similarly to put an attacker code voluntary in tomcat webapps folder. This is why I'm not sure it needs a CVE, we can create one in low level but not sure it would serve much end users. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@geronimo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
