[Pkg-privacy-maintainers] Bug#1139717: onionshare: OnionShare follows symlinks in shared directories, allowing unintended disclosure of local files
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 11 19:48:16 BST 2026
Source: onionshare
Version: 2.6.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi
>From https://github.com/onionshare/onionshare/security/advisories/GHSA-22p9-r2f5-22mf
> OnionShare CLI/Desktop 2.6.3 can follow symbolic links inside a
> selected Share or Website directory and serve the symlink target
> rather than limiting access to files physically contained in the
> selected directory. If a user shares a directory that contains
> attacker-supplied or otherwise untrusted symlinks, a remote recipient
> with access to the OnionShare service can read arbitrary local files
> readable by the OnionShare process that the symlink points to.
>
> This affects the shipped onionshare-cli Python package and the desktop
> application because both call the same onionshare_cli.web
> file-indexing and streaming code.
Regards,
Salvatore
More information about the Pkg-privacy-maintainers
mailing list