From 3658615659a1f3011bdcd9bc0688bb81e733b009 Mon Sep 17 00:00:00 2001
From: Adriane Boyd <adrianeboyd@gmail.com>
Date: Mon, 7 Nov 2022 09:45:23 +0100
Subject: [PATCH] Add comment about CVE

---
 spacy/cli/project/remote_storage.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/spacy/cli/project/remote_storage.py b/spacy/cli/project/remote_storage.py
index b03f74a2d..12e252b3c 100644
--- a/spacy/cli/project/remote_storage.py
+++ b/spacy/cli/project/remote_storage.py
@@ -85,6 +85,9 @@ class RemoteStorage:
                 with tarfile.open(tar_loc, mode=mode_string) as tar_file:
                     # This requires that the path is added correctly, relative
                     # to root. This is how we set things up in push()
+
+                    # Disallow paths outside the current directory for the tar
+                    # file (CVE-2007-4559, directory traversal vulnerability)
                     def is_within_directory(directory, target):
                         abs_directory = os.path.abspath(directory)
                         abs_target = os.path.abspath(target)