hack-house

History

leetcrypt dc23e0b44e fix(client): prevent path traversal on file receive The Python client saved an incoming transfer under the offerer-controlled `name` field verbatim, so a peer could supply `../../…` or an absolute path and write a file anywhere the user can (arbitrary write → RCE). Reduce the name to a bare basename before joining it to the download dir, matching the Rust client's existing behaviour. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-06-04 22:55:50 -07:00
..
__init__.py	feat(agent): model-agnostic AI agent bridge (PoC) + pin lets-hack demo to main	2026-06-01 02:05:48 -07:00
client.py	fix(client): prevent path traversal on file receive	2026-06-04 22:55:50 -07:00

leetcrypt dc23e0b44e fix(client): prevent path traversal on file receive

The Python client saved an incoming transfer under the offerer-controlled
`name` field verbatim, so a peer could supply `../../…` or an absolute path
and write a file anywhere the user can (arbitrary write → RCE). Reduce the
name to a bare basename before joining it to the download dir, matching the
Rust client's existing behaviour.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-06-04 22:55:50 -07:00

__init__.py

feat(agent): model-agnostic AI agent bridge (PoC) + pin lets-hack demo to main

2026-06-01 02:05:48 -07:00

client.py

fix(client): prevent path traversal on file receive

2026-06-04 22:55:50 -07:00