Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

examples: defend from privilege elevation #4120

Merged
merged 1 commit into from
Feb 8, 2022
Merged

examples: defend from privilege elevation #4120

merged 1 commit into from
Feb 8, 2022

Conversation

KoyamaSohei
Copy link
Contributor

@KoyamaSohei KoyamaSohei changed the title examples: defend privilege elevation examples: defend from privilege elevation Dec 13, 2019
@dougwilson dougwilson self-assigned this Mar 25, 2020
@dougwilson
Copy link
Contributor

So I noticed the fix for this was to switch from res.download to attachment + sendFile. That does indeed work, but I think it exposes that the res.download API doesn't actually make it easy to use it i. This way, which I think we should actually improve/fix in some way.

@dougwilson
Copy link
Contributor

Ok, Sorry for the delay. I dug in to this today and so what I found was that this was an oversight when the full options support was added to res.download -- this is a bug it'll be fixed such that the root option is honored when supplied. This bug fix will land in the next minor, 4.18, since it's a bit more risky of a fix depending on what folks are passing in. I updated the example to resolve the path to absolute and still use res.download, as I looked in to it and this example's purpose was to demo res.download among other APIs, so this'll land now.

@dougwilson dougwilson closed this in 82de4de Feb 8, 2022
@dougwilson dougwilson merged commit 82de4de into expressjs:master Feb 8, 2022
himanshiLt pushed a commit to himanshiLt/express that referenced this pull request Jun 20, 2022
@KoyamaSohei @himanshiLt
examples: fix path traversal in downloads example
a2a1155 
closes expressjs#4120
@sync-by-unito sync-by-unito bot mentioned this pull request Jun 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dougwilson dougwilson dougwilson approved these changes

Assignees

@dougwilson dougwilson

Labels
examples pr
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

XSS in examples
2 participants
@KoyamaSohei @dougwilson