Skip to content

Recall 0.3.2

Choose a tag to compare

View all tags
@raiyanyahya raiyanyahya released this 21 Jun 21:56
· 5 commits to master since this release
v0.3.2
879c04b

Security

Closed a path-confinement bypass in output_dir: a pre-planted symlink at the default .recall (e.g. shipped in an untrusted clone) could redirect Recall's writes outside the project, because the fallback re-resolved the same symlink
and returned the escaping path. The fallback is now validated too — when no in-project location is safe, Recall refuses to write (output_dir returns None) rather than landing outside the tree. Added regression tests covering the
symlinked-.recall case end to end.

Full changelog: https://github.com/raiyanyahya/recall/blob/master/CHANGELOG.md

Assets 2
Loading