From 5b087d6aebaf44c5e7f6f1b3eaab09cc61e3d36f Mon Sep 17 00:00:00 2001 From: Mark Backman Date: Mon, 4 May 2026 16:22:26 -0400 Subject: [PATCH] docs: add changelog for #4417 --- changelog/4417.security.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog/4417.security.md diff --git a/changelog/4417.security.md b/changelog/4417.security.md new file mode 100644 index 000000000..a51c369df --- /dev/null +++ b/changelog/4417.security.md @@ -0,0 +1 @@ +- Fixed a path traversal issue in the development runner's `/files/{filename:path}` download endpoint. Previously, when the runner was started with `--folder`, a request like `/files/..%2F..%2Fetc%2Fpasswd` could escape the configured folder because `%2F`-encoded separators bypassed Starlette's path normalisation. The endpoint now resolves the joined path and rejects any filename that escapes the allowed base with a 403, and also returns 404 (instead of an implicit `null` 200) when `--folder` is unset.