Skip to content

Commit 9d95f01

Browse files
committed
docs(CHANGELOG): update version to v35.19.0 instead of 35.18.1
1 parent 6ec9f9f commit 9d95f01

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ vendored versions of ExifTool match the version that they vendor.
3535

3636
## History
3737

38-
### v35.18.1
38+
### v35.19.0
3939

4040
- 🔥 **Security: argument injection hardening [GHSA-cw26-7653-2rp5](https://github.com/photostructure/exiftool-vendored.js/security/advisories/GHSA-cw26-7653-2rp5).** ExifTool runs in `-stay_open True -@ -` mode, where arguments are read from stdin one per line. Several caller-supplied strings were previously interpolated into ExifTool arguments without rejecting line delimiters, so a `\n` inside a tag name or filename could split one argument into many. Two layers of defense have been added:
4141
- **Per-site validation.** A new `validateTagName` helper rejects tag-name strings that fall outside the ExifTool tag grammar (letters, digits, `:`, `-`, `_`, and the modifiers `*`, `?`, `+`, `#`). Applied to write tag keys, `deleteAllTags({retain})`, `read({numericTags})`, and the binary-extraction tag names. `imageHashType` is now also validated against an `ImageHashTypes` allowlist at runtime.

0 commit comments

Comments
 (0)