When relying on the root option to restrict file access it may be possible for an application consumer to escape out of the restricted directory and access files in a similarly named directory. For example, static(_dirname + '/public') would allow access to _dirname + '/public-restricted'. Upstream commit: https://github.com/visionmedia/send/commit/9c6ca9b2c0b880afd3ff91ce0d211213c5fa5f9a Corresponding pull request: https://github.com/visionmedia/send/pull/59 CVE request: http://seclists.org/oss-sec/2014/q3/640
Created nodejs-send tracking bugs for this issue: Affects: fedora-all [bug 1146064] Affects: epel-all [bug 1146065]
nodejs-send-0.3.0-4.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-send-0.3.0-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nodejs-send-0.3.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.