|
1 | | -## 2.3.2-dev.XX.0 |
| 1 | +## 2.3.3-dev.XX.0 |
2 | 2 | (Add new changes here, and they will be copied to the change section for the |
3 | 3 | next dev version) |
4 | 4 |
|
5 | | -### Security vulnerability |
6 | | - |
7 | | -* **Security improvement:** On Linux and Android, starting a process with |
8 | | - `Process.run`, `Process.runSync`, or `Process.start` would first search the |
9 | | - current directory before searching `PATH` (Issue [37101][]). This behavior |
10 | | - effectively put the current working directory in the front of `PATH`, even if |
11 | | - it wasn't in the `PATH`. This release changes that behavior to only searching |
12 | | - the directories in the `PATH` environment variable. Operating systems other |
13 | | - than Linux and Android didn't have this behavior and aren't affected by this |
14 | | - vulnerability. |
15 | | - |
16 | | - This vulnerability could result in execution of untrusted code if a command |
17 | | - without a slash in its name was run inside an untrusted directory containing |
18 | | - an executable file with that name: |
19 | | - |
20 | | - ```dart |
21 | | - Process.run("ls", workingDirectory: "/untrusted/directory") |
22 | | - ``` |
23 | | - |
24 | | - This would attempt to run `/untrusted/directory/ls` if it existed, even |
25 | | - though it is not in the `PATH`. It was always safe to instead use an absolute |
26 | | - path or a path containing a slash. |
27 | | - |
28 | | - This vulnerability was introduced in Dart 2.0.0. |
29 | | - |
30 | | -[37101]: https://github.com/dart-lang/sdk/issues/37101 |
31 | | - |
32 | 5 | ### Core libraries |
33 | 6 |
|
34 | 7 | #### `dart:isolate` |
@@ -171,6 +144,37 @@ Updated the linter to `0.1.89`, which includes the following changes: |
171 | 144 | * **Breaking change:** The `await for` allowed `null` as a stream due to a bug |
172 | 145 | in `StreamIterator` class. This bug has now been fixed. |
173 | 146 |
|
| 147 | +## 2.3.2 - 2019-06-11 |
| 148 | + |
| 149 | +This is a patch version release with a security improvement. |
| 150 | + |
| 151 | +### Security vulnerability |
| 152 | + |
| 153 | +* **Security improvement:** On Linux and Android, starting a process with |
| 154 | + `Process.run`, `Process.runSync`, or `Process.start` would first search the |
| 155 | + current directory before searching `PATH` (Issue [37101][]). This behavior |
| 156 | + effectively put the current working directory in the front of `PATH`, even if |
| 157 | + it wasn't in the `PATH`. This release changes that behavior to only searching |
| 158 | + the directories in the `PATH` environment variable. Operating systems other |
| 159 | + than Linux and Android didn't have this behavior and aren't affected by this |
| 160 | + vulnerability. |
| 161 | + |
| 162 | + This vulnerability could result in execution of untrusted code if a command |
| 163 | + without a slash in its name was run inside an untrusted directory containing |
| 164 | + an executable file with that name: |
| 165 | + |
| 166 | + ```dart |
| 167 | + Process.run("ls", workingDirectory: "/untrusted/directory") |
| 168 | + ``` |
| 169 | + |
| 170 | + This would attempt to run `/untrusted/directory/ls` if it existed, even |
| 171 | + though it is not in the `PATH`. It was always safe to instead use an absolute |
| 172 | + path or a path containing a slash. |
| 173 | + |
| 174 | + This vulnerability was introduced in Dart 2.0.0. |
| 175 | + |
| 176 | +[37101]: https://github.com/dart-lang/sdk/issues/37101 |
| 177 | + |
174 | 178 | ## 2.3.1 - 2019-05-21 |
175 | 179 |
|
176 | 180 | This is a patch version release with bug fixes. |
|
0 commit comments