Skip to content

v4.1.3: [security] Fix crash on redirect with formfeed in URL (CVE-2019-10775) #266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 1, 2020
Merged

v4.1.3: [security] Fix crash on redirect with formfeed in URL (CVE-2019-10775) #266

merged 2 commits into from
Apr 1, 2020

Conversation

@mk-pmb
Copy link
Contributor

@mk-pmb mk-pmb commented Apr 1, 2020

Sorry for disturbing the peace of the dead, but I'd really appreciate you making an exception so I don't need to start a maintenance fork. (If you wish I do I might consider it though.)

This fixes CVE-2019-10775. I'll postpone regression tests because
the request library cannot send those requests (crashing the client
instead of ecstatic), so I'll need to find another module that can.

mk-pmb added 2 commits April 2, 2020 00:51
@mk-pmb
[minor] Remove else-after-return to make eslint pass
fd3491a
@mk-pmb
v4.1.3: [security] Fix crash on redirect with formfeed in URL (CVE-20…
d37b507 
…19-10775)

This fixes CVE-2019-10775. I'll postpone regression tests because
the request library cannot send those requests (crashing the client
instead of ecstatic), so I'll need to find another module that can.
@jfhbrook jfhbrook merged commit 72044b8 into jfhbrook:master Apr 1, 2020
@mk-pmb
Copy link
Contributor Author

mk-pmb commented Apr 1, 2020

Thanks!

@jfhbrook
Copy link
Owner

jfhbrook commented Apr 1, 2020

out as 4.1.4 due to having to fuck with github actions but it should be out

@mk-pmb
Copy link
Contributor Author

mk-pmb commented Apr 1, 2020
edited
Loading

… and only now it comes to my mind that the RegExp should probably have matched U+0020 space as well. However the impact is probably limited to confusing readers of that code. I'll probably fix that once I get to write the tests for it.

@trivikr trivikr mentioned this pull request Jul 2, 2020
Closed
@thornjad thornjad mentioned this pull request Oct 13, 2021
Merged
8 tasks
@westonphillips westonphillips mentioned this pull request Jun 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mk-pmb @jfhbrook