From cff4b4e41dc60e699cfb94bac17e498d2cb2ebd1 Mon Sep 17 00:00:00 2001 From: Catherine Date: Sat, 30 May 2026 18:53:00 +0000 Subject: [PATCH] [security] Forbid backslashes from occurring in project names. This addresses an authorization bypass (which could occur only on Windows). A more principled way to do this would be to use `os.Root.OpenRoot` and scope the actual filesystem operations per-domain. However, I prototyped this and it was complicated enough that it wasn't clear whether this would not introduce new issues. V12-Ref: F-77209 --- src/auth.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/auth.go b/src/auth.go index b9bfeb3..62f4616 100644 --- a/src/auth.go +++ b/src/auth.go @@ -83,7 +83,7 @@ func ValidateProjectName(name string) error { return fmt.Errorf("must not start with %q", ".") } - forbiddenChars := "%*" + forbiddenChars := "%*\\" if strings.ContainsAny(name, forbiddenChars) { return fmt.Errorf("must not contain any of %q", forbiddenChars) }