rc/vmz
1
0
Fork 0
Code Issues 33 Pull requests 3 Projects Releases Packages Wiki Activity Actions

gpt: User-controlled version can escape the app support directory #11

New issue
Closed
opened 2026-05-19 13:32:43 +00:00 by rc · 1 comment
rc commented 2026-05-19 13:32:43 +00:00
Owner
Copy link

src/cmd_download.zig and src/utils.zig
version is joined naively into a filesystem path. A value like ../../somewhere can cause downloads and run paths to resolve outside ~/Library/Application Support/vmz. Validate versions as a path segment: reject empty strings, separators, ./.., and probably anything outside Alpine-ish version names plus latest-stable.

[src/cmd_download.zig](/Users/rc/git/vmz/src/cmd_download.zig:19) and [src/utils.zig](/Users/rc/git/vmz/src/utils.zig:15) `version` is joined naively into a filesystem path. A value like `../../somewhere` can cause downloads and run paths to resolve outside `~/Library/Application Support/vmz`. Validate versions as a path segment: reject empty strings, separators, `.`/`..`, and probably anything outside Alpine-ish version names plus `latest-stable`.
rc commented 2026-05-22 13:38:05 +00:00
Author
Owner
Copy link
edge/                                              30-Sep-2015 07:58       -
latest-stable/                                     28-Nov-2025 14:54       -
v3.0/                                              07-May-2014 22:52       -
v3.1/                                              01-Jan-2015 07:25       -
v3.10/                                             31-May-2019 18:14       -
v3.11/                                             06-Dec-2019 18:36       -
v3.12/                                             22-May-2020 09:41       -
v3.13/                                             15-Jun-2021 19:47       -
v3.14/                                             24-Nov-2021 11:46       -
v3.15/                                             12-Nov-2021 13:57       -
v3.16/                                             16-May-2022 19:04       -
v3.17/                                             09-May-2023 19:39       -
v3.18/                                             02-May-2023 13:38       -
v3.19/                                             19-Nov-2023 16:19       -
v3.2/                                              24-Apr-2015 09:24       -
v3.20/                                             17-May-2024 13:28       -
v3.21/                                             29-Nov-2024 20:58       -
v3.22/                                             28-May-2025 05:24       -
v3.23/                                             28-Nov-2025 14:54       -
v3.24/                                             08-May-2026 17:21       -
v3.3/                                              21-May-2023 14:16       -
v3.4/                                              21-Apr-2016 12:39       -
v3.5/                                              16-Nov-2016 16:01       -
v3.6/                                              20-Apr-2017 10:47       -
v3.7/                                              23-Nov-2017 21:25       -
v3.8/                                              27-Apr-2018 06:06       -
v3.9/
``` edge/ 30-Sep-2015 07:58 - latest-stable/ 28-Nov-2025 14:54 - v3.0/ 07-May-2014 22:52 - v3.1/ 01-Jan-2015 07:25 - v3.10/ 31-May-2019 18:14 - v3.11/ 06-Dec-2019 18:36 - v3.12/ 22-May-2020 09:41 - v3.13/ 15-Jun-2021 19:47 - v3.14/ 24-Nov-2021 11:46 - v3.15/ 12-Nov-2021 13:57 - v3.16/ 16-May-2022 19:04 - v3.17/ 09-May-2023 19:39 - v3.18/ 02-May-2023 13:38 - v3.19/ 19-Nov-2023 16:19 - v3.2/ 24-Apr-2015 09:24 - v3.20/ 17-May-2024 13:28 - v3.21/ 29-Nov-2024 20:58 - v3.22/ 28-May-2025 05:24 - v3.23/ 28-Nov-2025 14:54 - v3.24/ 08-May-2026 17:21 - v3.3/ 21-May-2023 14:16 - v3.4/ 21-Apr-2016 12:39 - v3.5/ 16-Nov-2016 16:01 - v3.6/ 20-Apr-2017 10:47 - v3.7/ 23-Nov-2017 21:25 - v3.8/ 27-Apr-2018 06:06 - v3.9/ ```
rc closed this issue 2026-05-22 14:00:20 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
codex/verbose-logging
codex-fix-run-without-initrd
codex-package-libvmz
swfit
output
No results found.
Labels
Clear labels   
highprio

   
lowprio
No labels
highprio
lowprio
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
rc/vmz#11
No description provided.