Skip to content

v5.7.9

Choose a tag to compare

View all tags
@alexgreensh alexgreensh released this 28 May 06:15
· 68 commits to main since this release
v5.7.9
0ae279e

Security + correctness fix for archive cleanup:

  • Symlink guards: archive_root, session dirs, and listing paths all skip symlinks to prevent symlink-swap deletion attacks
  • shutil.rmtree: replaces manual unlink loop so nested subdirectories are properly cleaned (bug reported by @danikdanik in #39)
  • Python 3.9 safe: uses os.lstat() instead of stat(follow_symlinks=False) which requires 3.10+
  • Pre-existing fix: hardened the same pattern in measure.py's archive_cleanup() which already had unguarded rmtree

Thanks @danikdanik for reporting the nested directory cleanup bug!

Contributors

danikdanik
Assets 2
Loading