Skip to content

2.22.1: CVE-2023-23608
Compare
Choose a tag to compare
@stephanebruckert stephanebruckert released this 23 Jan 19:39
· 70 commits to master since this release
2.22.1
c53511b

Fixed

  • CVE-2023-23608: fixed path traversal vulnerability that may lead to type confusion in URI handling code. Can prevent a potential XSS attack.
    • Upgrade if your app is user-facing and it allows user inputs for any type of Spotify IDs/URIs/URLs that may be forwarded to the Spotify API. Thanks to @Shaderbug for finding and fixing this bug b1db0b6

Changed

  • Modified docstring for deprecated playlist_add_items() to accept "only URIs or URLs", with intended fix for IDs in v3.
    • The bug still exists for developers dealing with episodes IDs rather than just track IDs. However it is recommended to use the new playlist_add_tracks() or playlist_add_episodes() if dealing with episodes or simply to avoid confusion. See #919 by @oliveraw for context

Contributors

oliveraw and Shaderbug
Assets 2
Loading