<p></p>

<p><b>@xiota</b> commented on this pull request.</p>

<hr>

<p>In <a href="https://github.com/geany/geany/pull/3021#discussion_r757723117">src/keyfile.c</a>:</p>

<pre style='color:#555'>> @@ -1268,6 +1287,16 @@ static gboolean open_session_file(gchar **tmp, guint len)

        unescaped_filename = g_uri_unescape_string(tmp[7], NULL);

        locale_filename = utils_get_locale_from_utf8(unescaped_filename);

+       if (!g_path_is_absolute(locale_filename) && app->project)

+       {

+               gchar *base_path = project_get_base_path();

+               gchar *project_dir = utils_get_locale_from_utf8(base_path);

+

+               SETPTR(locale_filename, g_build_filename(project_dir, locale_filename, NULL));

</pre>

<p dir="auto">Need to add a check before this to prevent use of <code>..</code> from allowing access to files outside the project tree.  Even though this PR doesn't write relative paths in certain ways, session and project files can be edited externally or another PR may change it.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/geany/geany/pull/3021#pullrequestreview-817091252">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAIOWJ7XFVKWYALNGA5DO3DUOARXRANCNFSM5IYZ3XZA">unsubscribe</a>.<br />Triage notifications on the go with GitHub Mobile for <a href="https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675">iOS</a> or <a href="https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub">Android</a>.

<img src="https://github.com/notifications/beacon/AAIOWJ2TYKCRMVWVYQ75AQDUOARXRA5CNFSM5IYZ3XZKYY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOGCZ5FNA.gif" height="1" width="1" alt="" /></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/geany/geany/pull/3021#pullrequestreview-817091252",

"url": "https://github.com/geany/geany/pull/3021#pullrequestreview-817091252",

"name": "View Pull Request"

},

"description": "View this Pull Request on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>