Directory traversal attack allowed when running in debug mode

[5225225]

#[derive(rust_embed::RustEmbed)]
#[folder = "src/"]
struct Asset;

fn main() {
    let d = Asset::get("../../../etc/passwd").unwrap().data;
    println!("{}", String::from_utf8_lossy(&d));
}

This code will (assuming you have the correct number of ../s), print out the contents of your /etc/passwd.

[AzureMarker]

Thanks for the report. I'll open a PR ASAP.

[pyrossh]

Fix is released in v6.3.0. Thanks for finding the vulnerability @5225225.
Thanks for the quick fix @AzureMarker.

[5225225]

I'll file a https://rustsec.org/ vuln today to hopefully get anyone on vulnerable versions to upgrade, assuming they run cargo-audit or similar.

[5225225]

Also, the readme / changelog needs to be updated.

[pyrossh]

Ahh I forgot to push my commit. Thanks.