Thanks for reporting the issue. You reported literally the day I moved into my first home, so I've been extremely busy the last couple of weeks and taken the time off work / away from the computer. I should have found time to at least promptly get back to you, but honestly it's been a very chaotic period for me and hard to manage my time properly. As this issue poses compatibility problems (for example, in the communication protocol between compo.sr and Composr installations), and may conflict with existing changes for the in-development v11, I need to deal with this myself and cannot delegate it. Developing a prototype fix in git (i.e. normal workflow for bugfixes) would have been effective disclosure, so I have to manage a fix in private and schedule an immediately disclosure when the fix is committed. 3 weeks is a short timescale for whitehat full disclosure of vulnerabilities, 1 month would be the normal bare minimum IMO - so please wait up until 13th May before disclosing.
A fix will be coming out before midnight on 13th (i.e. tomorrow), CST timezone.
Thank you for withholding up to that point. I'll make sure you get credit on the announcement. If you have a request for a name to be credited against (i.e. not just 'RandomGuy'), I'll make sure that's included.
By the way, this is a clever hole you've found. On one hand, the issue is somewhat obvious and our fault (for using serialize and trying to be clever about it), but the trick to using the '+' is smart, as is using Tempcode with its automatic (code-based) string conversion.
#3801 - Unauthenticated Remote Code Execution
Thank you for withholding up to that point. I'll make sure you get credit on the announcement. If you have a request for a name to be credited against (i.e. not just 'RandomGuy'), I'll make sure that's included.
Announced in https://compo.sr/news/view/announcements/security-vulnerability.htm.