Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

examples: defend from privilege elevation #4120

Merged
merged 1 commit into from
Feb 8, 2022
Merged

examples: defend from privilege elevation #4120

merged 1 commit into from
Feb 8, 2022

Conversation

KoyamaSohei
Copy link
Contributor

@KoyamaSohei KoyamaSohei changed the title examples: defend privilege elevation examples: defend from privilege elevation Dec 13, 2019
@dougwilson dougwilson self-assigned this Mar 25, 2020
@dougwilson
Copy link
Contributor

So I noticed the fix for this was to switch from res.download to attachment + sendFile. That does indeed work, but I think it exposes that the res.download API doesn't actually make it easy to use it i. This way, which I think we should actually improve/fix in some way.

@dougwilson
Copy link
Contributor

Ok, Sorry for the delay. I dug in to this today and so what I found was that this was an oversight when the full options support was added to res.download -- this is a bug it'll be fixed such that the root option is honored when supplied. This bug fix will land in the next minor, 4.18, since it's a bit more risky of a fix depending on what folks are passing in. I updated the example to resolve the path to absolute and still use res.download, as I looked in to it and this example's purpose was to demo res.download among other APIs, so this'll land now.

@dougwilson dougwilson closed this in 82de4de Feb 8, 2022
@dougwilson dougwilson merged commit 82de4de into expressjs:master Feb 8, 2022
himanshiLt pushed a commit to himanshiLt/express that referenced this pull request Jun 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

XSS in examples
2 participants