Skip to content

v0.4.6
Compare
Choose a tag to compare
@lukeed lukeed released this 23 May 18:03
· 90 commits to master since this release
v0.4.6
11ccbb2

NOTICE
This version patches a directory-traversal security vulnerability that exists in dev mode only. All users should update immediately, even if they don't think they're using --dev or opts.dev on live servers. There are no other changes in this release.

Patches

  • Fixes dev mode security vulnerability (#63): 1e0bac5
    Thank you @marvinhagemeister~!

    As Marvin describes:

    This allows an attacker to traverse the file system outside of the specified directory.

    Let's say sirv was initialized to serve files from /foo/bar:

    sirv("/foo/bar");

    ...and an attacker makes a request to:

    GET /../../etc/passwd

    ...then they are able to download the contents of that file.

Chores

Assets 2
Loading