Add comment about CVE

2025-08-07 13:44:55 +03:00 · 2022-11-07 09:45:23 +01:00 · 2022-11-07 09:45:23 +01:00 · 3658615659
commit 3658615659
parent 2e85f917ed
1 changed files with 3 additions and 0 deletions
--- a/spacy/cli/project/remote_storage.py
+++ b/spacy/cli/project/remote_storage.py
@ -85,6 +85,9 @@ class RemoteStorage:
                with tarfile.open(tar_loc, mode=mode_string) as tar_file:
                    # This requires that the path is added correctly, relative
                    # to root. This is how we set things up in push()
+
+                    # Disallow paths outside the current directory for the tar
+                    # file (CVE-2007-4559, directory traversal vulnerability)
                    def is_within_directory(directory, target):
                        abs_directory = os.path.abspath(directory)
                        abs_target = os.path.abspath(target)