path: fix regression in posix.normalize #19520
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes a regression introduced in nodejs@4ae320f The posix version of normalize should not treat backslash as a path separator. Fixes: nodejs#19519
Trott
approved these changes
Mar 21, 2018
tniessen
approved these changes
Mar 21, 2018
mscdex
reviewed
Mar 21, 2018
lib/path.js
Outdated
| @@ -364,7 +369,8 @@ const win32 = { | |||
|
|
|||
| var tail; | |||
| if (rootEnd < len) | |||
There was a problem hiding this comment.
Can braces be added for the if and else here if we start having multi-line conditional bodies?
cjihrig
approved these changes
Mar 21, 2018
4 tasks
|
Should we fast track this patch / a 9.9.1 or can this wait for next week? |
|
It's difficult to estimate the impact (I suppose backslashes are not common in unixes paths). It can probably wait and land with the next security release. |
jasnell
approved these changes
Mar 23, 2018
|
Landed in a0adf56 |
targos
added a commit
that referenced
this pull request
Mar 23, 2018
Fixes a regression introduced in [1]. The posix version of normalize should not treat backslash as a path separator. [1] 4ae320f2 PR-URL: #19520 Fixes: #19519 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
targos
added a commit
that referenced
this pull request
Mar 24, 2018
Fixes a regression introduced in [1]. The posix version of normalize should not treat backslash as a path separator. [1] 4ae320f2 PR-URL: #19520 Fixes: #19519 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
Any plans for a patch with this? |
|
This is ready to land in the next patch release, which should happen tomorrow: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ |
targos
added a commit
that referenced
this pull request
Mar 27, 2018
Notable changes:
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
#19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
#17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
#19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
#19520
* stream:
- Improve stream creation performance (Brian White)
#19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
MylesBorins
pushed a commit
that referenced
this pull request
Mar 28, 2018
This is a security release. All Node.js users should consult the security release summary at: https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities. Fixes for the following CVEs are included in this release: * CVE-2018-7158 * CVE-2018-7159 * CVE-2018-7160 Notable changes: * Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js. * **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**: A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser `Host` value of `localhost` or `localhost6`. * **Fix for `'path'` module regular expression denial of service (CVE-2018-7158)**: A regular expression used for parsing POSIX an Windows paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted `'path'` module functions. * **Reject spaces in HTTP `Content-Length` header values (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside `Content-Length` header values. Such values now lead to rejected connections in the same way as non-numeric values. * **Update root certificates**: 5 additional root certificates have been added to the Node.js binary and 30 have been removed. * cluster: - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava) #19165 * crypto: - Expose the public key of a certificate (Hannes Magnusson) #17690 * n-api: - Add `napi_fatal_exception` to trigger an `uncaughtException` in JavaScript (Mathias Buus) #19337 * path: - Fix regression in `posix.normalize` (Michaël Zasso) #19520 * stream: - Improve stream creation performance (Brian White) #19401 * Added new collaborators - [BethGriggs](https://github.com/BethGriggs) Beth Griggs PR-URL: https://github.com/nodejs-private/node-private/pull/111
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes a regression introduced in
4ae320f
The posix version of normalize should not treat backslash as a path
separator.
Fixes: #19519
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes