-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS via filename #28
Comments
Thanks for the report. I'm going to publish a fix ASAP right now. P.S. if you like, always feel free to email me directly for security issues :) You can always post publicly on the repo if the author (me in this case) does not seem to be responding in a reasonable amount of time :D |
Sorry, I'll do that in the future! I looked at http://expressjs.com/ for a security contact, but I should have just tried your email. |
No problem. We are working on a policy. I was mainly just talking in general :) |
Oh, I see, it's the |
...and the content, lol. Basically, only the |
Please feel free to confirm this fix :) |
Thanks, that seems to have fixed the one I reported. I found another, though: the directory/path indicator at the top of the index page needs escaping as well. Try an |
Awesome!! Fixing... |
Also, in the title tag. |
Ok, I think I may have gotten them all now. |
@andrewrk I'm pinging you because of the last |
I'm ok, thanks. I'd like the option to ask for it later if I have to deal with another bug report asking for the patch earlier, if that's OK. |
The option is always available :) I was just checking ahead of time just in case you happened to know :) |
This has been published to npm as 1.6.3. |
serve-index 1.6.0 is vulnerable to XSS (see expressjs/serve-index#28)
serve-index directory listings are vulnerable to XSS via arbitrary uploader-controlled filenames.
Repro steps:
cd public/ftp
touch '<img src="" onerror="alert(0)">'
I spotted this when testing webpack-dev-server, which is also vulnerable as it uses serve-index.
The text was updated successfully, but these errors were encountered: