mirror/rclone
1
0
Fork 0
mirror of https://github.com/rclone/rclone.git synced 2026-05-19 14:24:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

operations: add AuthRequired to operations/fsinfo to prevent backend creation CVE-2026-41179

Browse Source 
The operations/fsinfo RC endpoint was registered without AuthRequired,
allowing unauthenticated callers to instantiate arbitrary backends via
inline backend definitions.

See GHSA-jfwf-28xr-xw6q
This commit is contained in:
Nick Craig-Wood
2026-04-14 17:08:55 +01:00
parent 08490972a5
commit 9e3e68d00c
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
fs/operations/rc.go
View File

@@ -430,9 +430,10 @@ func rcPublicLink(ctx context.Context, in rc.Params) (out rc.Params, err error)
func init() {
rc.Add(rc.Call{
Path: "operations/fsinfo",
Fn: rcFsInfo,
Title: "Return information about the remote",
Path: "operations/fsinfo",
AuthRequired: true,
Fn: rcFsInfo,
Title: "Return information about the remote",
Help: `This takes the following parameters:
- fs - a remote name string e.g. "drive:"