[fonttools/fonttools] b00bc4: varLib_test: test path traversal in variable-font ...
0 views
Skip to first unread message
Cosimo Lupo
Nov 28, 2025, 11:11:01 AM (2 days ago) Nov 28
to fontto...@googlegroups.com
Branch: refs/heads/main
Home: https://github.com/fonttools/fonttools
Commit: b00bc459efac4d9d52a1eafa2cdd2c7ff503ced7
https://github.com/fonttools/fonttools/commit/b00bc459efac4d9d52a1eafa2cdd2c7ff503ced7
Author: Cosimo Lupo <cl...@google.com>
Date: 2025-11-21 (Fri, 21 Nov 2025)
Changed paths:
M Tests/varLib/varLib_test.py
Log Message:
-----------
varLib_test: test path traversal in variable-font filename
Reproduces https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
Commit: a696d5ba93270d5954f98e7cab5ddca8a02c1e32
https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
Author: Cosimo Lupo <cl...@google.com>
Date: 2025-11-21 (Fri, 21 Nov 2025)
Changed paths:
M Doc/source/designspaceLib/xml.rst
M Lib/fontTools/designspaceLib/__init__.py
M Lib/fontTools/varLib/__init__.py
Log Message:
-----------
varLib: only use the basename(vf.filename)
Fontmake already does that since the beginning:
https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438
it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
Commit: 5ff73af3265e0b5207c3a2870c9f0ccc8ee19d0f
https://github.com/fonttools/fonttools/commit/5ff73af3265e0b5207c3a2870c9f0ccc8ee19d0f
Author: Cosimo Lupo <cos...@anthrotype.com>
Date: 2025-11-28 (Fri, 28 Nov 2025)
Changed paths:
M Doc/source/designspaceLib/xml.rst
M Lib/fontTools/designspaceLib/__init__.py
M Lib/fontTools/varLib/__init__.py
M Tests/varLib/varLib_test.py
Log Message:
-----------
Merge commit from fork
[varLib] only use the basename of variable-font's filename attribute
Compare: https://github.com/fonttools/fonttools/compare/066512e4f339...5ff73af3265e
To unsubscribe from these emails, change your notification settings at https://github.com/fonttools/fonttools/settings/notifications
Home: https://github.com/fonttools/fonttools
Commit: b00bc459efac4d9d52a1eafa2cdd2c7ff503ced7
https://github.com/fonttools/fonttools/commit/b00bc459efac4d9d52a1eafa2cdd2c7ff503ced7
Author: Cosimo Lupo <cl...@google.com>
Date: 2025-11-21 (Fri, 21 Nov 2025)
Changed paths:
M Tests/varLib/varLib_test.py
Log Message:
-----------
varLib_test: test path traversal in variable-font filename
Reproduces https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
Commit: a696d5ba93270d5954f98e7cab5ddca8a02c1e32
https://github.com/fonttools/fonttools/commit/a696d5ba93270d5954f98e7cab5ddca8a02c1e32
Author: Cosimo Lupo <cl...@google.com>
Date: 2025-11-21 (Fri, 21 Nov 2025)
Changed paths:
M Doc/source/designspaceLib/xml.rst
M Lib/fontTools/designspaceLib/__init__.py
M Lib/fontTools/varLib/__init__.py
Log Message:
-----------
varLib: only use the basename(vf.filename)
Fontmake already does that since the beginning:
https://github.com/googlefonts/fontmake/blob/35e9e5dbdf2130a04c54688bb1bdbcfdb4b5fc67/Lib/fontmake/font_project.py#L438
it's safer to disallow path traversal as it may lead to abritrary file write vulnerability, see https://github.com/fonttools/fonttools/security/advisories/GHSA-768j-98cg-p3fv
Commit: 5ff73af3265e0b5207c3a2870c9f0ccc8ee19d0f
https://github.com/fonttools/fonttools/commit/5ff73af3265e0b5207c3a2870c9f0ccc8ee19d0f
Author: Cosimo Lupo <cos...@anthrotype.com>
Date: 2025-11-28 (Fri, 28 Nov 2025)
Changed paths:
M Doc/source/designspaceLib/xml.rst
M Lib/fontTools/designspaceLib/__init__.py
M Lib/fontTools/varLib/__init__.py
M Tests/varLib/varLib_test.py
Log Message:
-----------
Merge commit from fork
[varLib] only use the basename of variable-font's filename attribute
Compare: https://github.com/fonttools/fonttools/compare/066512e4f339...5ff73af3265e
To unsubscribe from these emails, change your notification settings at https://github.com/fonttools/fonttools/settings/notifications
Reply all
Reply to author
Forward
0 new messages