netliomax25-code opened a new pull request, #2584:
URL: https://github.com/apache/groovy/pull/2584
createGrabRecord rejects path separators and shell metacharacters in
coordinate values, but a value made only of dot segments still passes both the
version blacklist and the group/module whitelist, so a version or group of '..'
survives and is later interpolated into the ivy/maven cache file paths as a
parent-directory hop. This adds a contains('..') guard next to the existing
checks, after the backslash fix, and applies it to GrapeMaven too since it
shares the same validation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
