2.22.1: CVE-2023-23608

stephanebruckert released this 23 Jan 19:39

· 69 commits to master since this release

Fixed

CVE-2023-23608: fixed path traversal vulnerability that may lead to type confusion in URI handling code. Can prevent a potential XSS attack.
- Upgrade if your app is user-facing and it allows user inputs for any type of Spotify IDs/URIs/URLs that may be forwarded to the Spotify API. Thanks to @Shaderbug for finding and fixing this bug b1db0b6

Changed

Modified docstring for deprecated playlist_add_items() to accept "only URIs or URLs", with intended fix for IDs in v3.
- The bug still exists for developers dealing with episodes IDs rather than just track IDs. However it is recommended to use the new playlist_add_tracks() or playlist_add_episodes() if dealing with episodes or simply to avoid confusion. See #919 by @oliveraw for context

Contributors

oliveraw and Shaderbug

Assets 2