mirror of
https://github.com/actions-rust-lang/rustfmt.git
synced 2025-12-27 01:54:20 -05:00
Update changelog
This commit is contained in:
Jonas Bushart
13
CHANGELOG.md
13
CHANGELOG.md
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
|
||||
## [Unreleased]
|
||||
|
||||
## [1.1.2] - 2025-12-14
|
||||
|
||||
### Fixed
|
||||
|
||||
* Fixed a command injection vulnerability via the `manifest-path` input parameter.
|
||||
|
||||
The code was using GitHub action templates to inject the value directly into the shell command, which does not perform the necessary escaping.
|
||||
For fixing the issue, the value is passed via an environment variable, which performs the proper escaping.
|
||||
This is only an issue if the `manifest-path` parameter was set from some other untrusted source.
|
||||
Using a static string to call the action is safe.
|
||||
|
||||
Thanks to @mleblebici for reporting and fixing the issue.
|
||||
|
||||
## [1.1.1] - 2024-10-01
|
||||
|
||||
### Fixed
|
||||
|
||||
Reference in New Issue
Block a user