[Pkg-privacy-maintainers] Bug#1139716: onionshare: OnionShare Receive mode writes uploaded files even when file uploads are disabled
Salvatore Bonaccorso
carnil at debian.org
Thu Jun 11 19:47:07 BST 2026
Source: onionshare
Version: 2.6.3-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi
https://github.com/onionshare/onionshare/security/advisories/GHSA-v833-3823-cmhp
> OnionShare CLI/Desktop 2.6.3 does not enforce the Receive mode
> disable_files setting at the file upload sink. When a Receive service
> is configured as a text-message-only endpoint (--disable-files /
> "Disable uploading files"), a remote sender who can reach the
> OnionShare service can still send a crafted multipart request
> containing file[]; OnionShare writes the uploaded bytes to disk before
> the route handler skips file accounting.
>
> This affects the shipped onionshare-cli Python package and the desktop
> application because both use the same onionshare_cli.web.receive_mode
> request-streaming implementation.
Regards,
Salvatore
More information about the Pkg-privacy-maintainers
mailing list