From 2257d695900121026333e284603dbd94311ccd0d Mon Sep 17 00:00:00 2001 From: Shakker Date: Thu, 29 Jan 2026 02:30:01 +0000 Subject: [PATCH] fix: text attachment MIME misclassification with security hardening (#3628) - Fix CSV/TSV inference from content heuristics - Add UTF-16 detection and BOM handling - Add XML attribute escaping for file output (security) - Add MIME override logging for auditability - Add comprehensive test coverage for edge cases Thanks @frankekn --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 37ae5fdf2..d32a9f7a3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -107,6 +107,7 @@ Status: beta. - Telegram: centralize API error logging for delivery and bot calls. (#2492) Thanks @altryne. - Voice Call: enforce Twilio webhook signature verification for ngrok URLs; disable ngrok free tier bypass by default. - Security: harden Tailscale Serve auth by validating identity via local tailscaled before trusting headers. +- Media: fix text attachment MIME misclassification with CSV/TSV inference and UTF-16 detection; add XML attribute escaping for file output. (#3628) Thanks @frankekn. - Build: align memory-core peer dependency with lockfile. - Security: add mDNS discovery mode with minimal default to reduce information disclosure. (#1882) Thanks @orlyjamie. - Security: harden URL fetches with DNS pinning to reduce rebinding risk. Thanks Chris Zheng.