Patched slug CVE-2017-16117 by truncating input
parent
6e453ac15c
commit
6925839f9b
|
@ -7,6 +7,7 @@
|
||||||
* Improved debugging output
|
* Improved debugging output
|
||||||
* Tried to fix scrollwheel
|
* Tried to fix scrollwheel
|
||||||
* Fixed security audited npm packages
|
* Fixed security audited npm packages
|
||||||
|
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
|
||||||
|
|
||||||
###### v0.9.0
|
###### v0.9.0
|
||||||
* [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes
|
* [#121](https://github.com/Tracman-org/Server/issues/121) Fixed various security holes
|
||||||
|
|
|
@ -67,6 +67,7 @@ Tracman will be updated according to [this branching model](http://nvie.com/post
|
||||||
* Removed express validator and replaced with homegrown function
|
* Removed express validator and replaced with homegrown function
|
||||||
* Fixed showing welcome message on every login
|
* Fixed showing welcome message on every login
|
||||||
* Removed naked domains
|
* Removed naked domains
|
||||||
|
* Patched [CVE-2017-16117](https://github.com/dodo/node-slug/issues/82) on [node-slug](https://github.com/dodo/node-slug)
|
||||||
|
|
||||||
###### v0.8.x
|
###### v0.8.x
|
||||||
* Hotfixed service worker bugs
|
* Hotfixed service worker bugs
|
||||||
|
|
|
@ -5,10 +5,13 @@ const mail = require('../mail.js')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
const crypto = require('crypto')
|
const crypto = require('crypto')
|
||||||
const moment = require('moment')
|
const moment = require('moment')
|
||||||
const slugify = require('slug')
|
|
||||||
const sanitize = require('mongo-sanitize')
|
const sanitize = require('mongo-sanitize')
|
||||||
const debug = require('debug')('tracman-routes-auth')
|
const debug = require('debug')('tracman-routes-auth')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
|
// Trim slug to patch CVE-2017-16117
|
||||||
|
const slugify = function(s) {
|
||||||
|
return require('slug')(s.slice(0,99))
|
||||||
|
}
|
||||||
|
|
||||||
module.exports = (app, passport) => {
|
module.exports = (app, passport) => {
|
||||||
|
|
||||||
|
|
|
@ -1,9 +1,12 @@
|
||||||
'use strict'
|
'use strict'
|
||||||
|
|
||||||
const router = require('express').Router()
|
const router = require('express').Router()
|
||||||
const slug = require('slug')
|
|
||||||
const xss = require('xss')
|
const xss = require('xss')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
|
// Trim slug to patch CVE-2017-16117
|
||||||
|
const slug = function(s) {
|
||||||
|
return require('slug')(s.slice(0,99))
|
||||||
|
}
|
||||||
|
|
||||||
module.exports = router
|
module.exports = router
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,16 @@
|
||||||
'use strict'
|
'use strict'
|
||||||
|
|
||||||
const slug = require('slug')
|
|
||||||
const xss = require('xss')
|
const xss = require('xss')
|
||||||
const mw = require('../middleware.js')
|
const mw = require('../middleware.js')
|
||||||
const User = require('../models.js').user
|
const User = require('../models.js').user
|
||||||
const mail = require('../mail.js')
|
const mail = require('../mail.js')
|
||||||
const env = require('../env/env.js')
|
const env = require('../env/env.js')
|
||||||
const sanitize = require('mongo-sanitize')
|
|
||||||
const debug = require('debug')('tracman-routes-settings')
|
const debug = require('debug')('tracman-routes-settings')
|
||||||
const router = require('express').Router()
|
const router = require('express').Router()
|
||||||
|
// Trim slug to patch CVE-2017-16117
|
||||||
|
const slug = function(s) {
|
||||||
|
return require('slug')(s.slice(0,99))
|
||||||
|
}
|
||||||
|
|
||||||
// Settings form
|
// Settings form
|
||||||
router.route('/')
|
router.route('/')
|
||||||
|
|
Loading…
Reference in New Issue