pandoc.cabal | 4 2 + 2 - 0 !
1 file changed, 2 insertions(+), 2 deletions(-)

 require skylighting 0.12.3.

pandoc.cabal | 4 2 + 2 - 0 !
test/lhs-test.html | 4 2 + 2 - 0 !
test/lhs-test.html+lhs | 4 2 + 2 - 0 !
test/lhs-test.latex | 4 2 + 2 - 0 !
4 files changed, 8 insertions(+), 8 deletions(-)

 require skylighting 0.12.3.1 and update tests.

src/Text/Pandoc/Class/IO.hs | 14 7 + 7 - 0 !
src/Text/Pandoc/MediaBag.hs | 26 15 + 11 - 0 !
2 files changed, 22 insertions(+), 18 deletions(-)

 fix a security vulnerability in mediabag and t.p.class.io.writemedia
 This vulnerability, discovered by Entroy C,
 allows users to write arbitrary files to any location
 by feeding pandoc a specially crafted URL in an image element.
 The vulnerability is serious
 for anyone using pandoc to process untrusted input.
 The vulnerability does not affect pandoc
 when run with the `--sandbox` flag.

src/Text/Pandoc/Class/IO.hs | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix bug in git commit 5e381e3
 In the new code a comma mysteriously turned into a period.
 This would have prevented proper separation
 of the mime type and content in data uris.
 Thanks to @hseg for catching this.

src/Text/Pandoc/Class/IO.hs | 6 3 + 3 - 0 !
src/Text/Pandoc/MediaBag.hs | 9 5 + 4 - 0 !
2 files changed, 8 insertions(+), 7 deletions(-)

 more fixes to git commit 5e381e3
 These changes recognize that parseURI does not unescape the path.
 .
 Another change is that the canonical form
 of the path used as the MediaBag key
 retains percent-encoding, if present;
 we only unescape the string when writing to a file.
 .
 Some tests are needed before the issue can be closed.

pandoc.cabal | 2 2 + 0 - 0 !
test/Tests/MediaBag.hs | 39 39 + 0 - 0 !
test/test-pandoc.hs | 2 2 + 0 - 0 !
3 files changed, 43 insertions(+)

 add tests for fillmediabag/extractmedia

test/Tests/MediaBag.hs | 16 7 + 9 - 0 !
1 file changed, 7 insertions(+), 9 deletions(-)

 improve tests for fillmediabag/extractmedia
 Ensure that the current directory is not changed up if a test fails,
 and fix messages for the assertion failures.

src/Text/Pandoc/Class/IO.hs | 2 2 + 0 - 0 !
src/Text/Pandoc/MediaBag.hs | 7 4 + 3 - 0 !
test/Tests/MediaBag.hs | 12 11 + 1 - 0 !
3 files changed, 17 insertions(+), 4 deletions(-)

 ix new variant of the vulnerability in cve-2023-35936
 Guilhem Moulin noticed that the fix to CVE-2023-35936 was incomplete.
 An attacker could get around it
 by double-encoding the malicious extension
 to create or override arbitrary files.
 .
        $ echo '![](data://image/png;base64,cHJpbnQgImhlbGxvIgo=;.lua+%252f%252e%252e%252f%252e%252e%252fb%252elua)' >b.md
        $ .cabal/bin/pandoc b.md --extract-media=bar
        <p><img
        src="bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+%2f%2e%2e%2f%2e%2e%2fb%2elua" /></p>
        $ cat b.lua
        print "hello"
        $ find bar
        bar/
        bar/2a0eaa89f43fada3e6c577beea4f2f8f53ab6a1d.lua+
 .
 This commit adds a test case for this more complex attack
 and fixes the vulnerability.
 (The fix is quite simple:
 if the URL-unescaped filename or extension contains a '%',
 we just use the sha1 hash of the contents as the canonical name,
 just as we do if the filename contains '..'.)

data/dzslides/template.html | 9 3 + 6 - 0 !
data/templates/default.dzslides | 5 1 + 4 - 0 !
data/templates/default.html5 | 3 0 + 3 - 0 !
src/Text/Pandoc/Options.hs | 4 2 + 2 - 0 !
test/lhs-test.html | 3 0 + 3 - 0 !
test/lhs-test.html+lhs | 3 0 + 3 - 0 !
test/s5-fancy.html | 3 1 + 2 - 0 !
test/writer.html5 | 3 0 + 3 - 0 !
8 files changed, 7 insertions(+), 26 deletions(-)

 avoid potential privacy breaches in templates

src/Text/Pandoc/Error.hs | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 improve error message when pdf program is missing