mirror of
https://github.com/zhayujie/chatgpt-on-wechat.git
synced 2026-07-17 11:07:11 +08:00
- config.py:418 — Replace eval(value) with ast.literal_eval() for environment variable config overrides. ast.literal_eval only parses Python literals and cannot execute arbitrary code, preventing environment-variable-based code injection. - config.py:310-328 — Add security notes on pickle.load/dump usage. Pickle is safe here (local appdata file, same-process write/read), but notes suggest JSON migration or HMAC signing for future hardening. Fixes: potential RCE via controlled environment variables
36 KiB
36 KiB