spaCy icon indicating copy to clipboard operation
spaCy copied to clipboard

Published 20 hours ago • verified publisher icon explosion

Sanitize direct download

Open honnibal opened this issue 1 year ago • 0 comments

The 'direct' option in 'spacy download' is supposed to only download from our model releases repository. However, users were able to pass in a relative path, allowing download from arbitrary repositories. This meant that a service that sourced strings from user input and which used the direct option would allow users to install arbitrary packages.

honnibal avatar Feb 08 '24 14:02 honnibal