Commit graph

3 commits

Author SHA1 Message Date
Henrique Dias
8503ba61ff
fix(raw): neutralize backslashes in archive entry names (GHSA-83xp-526h-j3ww)
The fix for CVE-2026-54093 rewrote backslashes to the path separator "/" in
archive entry names. On POSIX hosts a backslash is a legal filename byte, so
that rewrite manufactured a traversal sequence ("..\..\x" -> "../../x") out
of a single in-scope file, turning a Windows-only zip-slip into a cross-platform
one. Neutralize backslashes to an inert character instead, and reject any entry
whose name is not already a normalized root-relative path. Adds a regression
test that downloads a folder containing a backslash-named file as a zip.
2026-06-27 08:39:14 +02:00
mehmet turac
103acd15fe
fix: force octet-stream for attachment downloads (#5942) 2026-06-03 11:59:17 +02:00
lif
8f81b77cf2
fix: include filename in Content-Disposition header for inline downloads (#5860) 2026-03-28 19:03:07 +01:00