We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
path
Going off of https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats the given warning on https://docs.modrinth.com/docs/modpacks/format_definition/#path that says to "make sure it doesn't contain .. or start with a drive name (i.e., [A-Z]:/, [A-Z]:\, and /).", If implemented at face value, would still result in multiple bad file paths being permitted such as:
..
[A-Z]:/
[A-Z]:\
/
\Program Files\Custom Utilities\StringFinder.exe
\\system07\C$\
\\.\C:\Test\Foo.txt
\\?\C:\Test\Foo.txt
..\
This could be resolved by either adding \ as a disallowed starting character and adding ..\, or promoting normalization checks instead
\
The text was updated successfully, but these errors were encountered:
If those paths are accepted by some launcher implementations, this should be escalated to a security advisory (CWE-35: Path transversal)
Sorry, something went wrong.
CWE-22 actually
CWE-35 is covered by the .. restriction as it's specifically about improper normalization and not generic path traversal
No branches or pull requests
Going off of https://learn.microsoft.com/en-us/dotnet/standard/io/file-path-formats the given warning on https://docs.modrinth.com/docs/modpacks/format_definition/#path that says to "make sure it doesn't contain
..
or start with a drive name (i.e.,[A-Z]:/
,[A-Z]:\
, and/
).", If implemented at face value, would still result in multiple bad file paths being permitted such as:\Program Files\Custom Utilities\StringFinder.exe
: A relative path from the root of the current drive.\\system07\C$\
: The root directory of the C: drive on system07. (A network drive/resource)\\.\C:\Test\Foo.txt
and\\?\C:\Test\Foo.txt
..\
This could be resolved by either adding
\
as a disallowed starting character and adding..\
, or promoting normalization checks insteadThe text was updated successfully, but these errors were encountered: