We're evolving to serve you better! This current forum has transitioned to read-only mode. For new discussions, support, and engagement, we've moved to GitHub Discussions.

webp 0day

  • #10637
    Avatar photo[anonymous]

    Hey guys,

    Have you seen this : ?

    Possible that you need to check for electron’s update (and maybe other lib w/ some img management ?) to provide an update of Publii embarking the security fixes once they’re published.

    Avatar photo[anonymous]


    Thank you for mentioning this

    Tomorrow we want to publish files of Publii v.0.43 and fortunately as I see two dependencies will solve this issue (Electron and sharp) – it will be upgraded to the newest possible versions.

    Fortunately due Publii nature this bug has limited impact, because firstly user has to use WebP image from untrusted source. I do not see a way to evaluate it remotely as e.g. in 1password where some other user from the shared vault could change a vault image to an affected one and then attack other users of the vault.