mirror of https://github.com/lukechilds/node.git
Browse Source
On POSIX platforms, check that the uid and gid match the euid and egid respectively before looking up the environment variable. Before this commit, an i18n-enabled suid node would cheerfully load attacker-controlled ICU data through the NODE_ICU_DATA environment variable. This commit is not a complete fix. For example, it's up for debate what to do with the NODE_CHANNEL_FD environment variable. PR-URL: https://github.com/node-forward/node/pull/18 Reviewed-By: Fedor Indutny <fedor@indutny.com>archived-io.js-v0.12
Ben Noordhuis
10 years ago
committed by
Fedor Indutny
1 changed files with 12 additions and 2 deletions
Loading…
Reference in new issue