Comparing version 1.2.0 to 1.3.0
@@ -304,1 +304,12 @@ # Changes | ||
``` | ||
## 1.2.0 | ||
### SECURITY PATCH | ||
An important security patch was released in this version which fixes a bug causing false negatives in specific edge cases. Please upgrade immediately and only use this version from this point on. | ||
All older versions of this package have been deprecated on NPM. | ||
## 1.3.0 | ||
This just has some bug fixes and updates to dependencies. Technically, a new `'timeout'` event was added to the `passthrough` stream method, but, its not fully fleshed out and doesn't seem to work so it will remain undocumented for now. |
@@ -36,5 +36,7 @@ /* | ||
if (this._debug_mode) console.log("node-clam: Received final data from stream."); | ||
const size = Buffer.alloc(4); | ||
size.writeInt32BE(0, 0); | ||
this.push(size); | ||
if (!this._readableState.ended) { | ||
const size = Buffer.alloc(4); | ||
size.writeInt32BE(0, 0); | ||
this.push(size); | ||
} | ||
cb(); | ||
@@ -41,0 +43,0 @@ } |
{ | ||
"name": "clamscan", | ||
"version": "1.2.0", | ||
"version": "1.3.0", | ||
"author": "Kyle Farris <kfarris@chomponllc.com> (http://chomponllc.com)", | ||
@@ -11,3 +11,4 @@ "description": "Use Node JS to scan files on your server with ClamAV's clamscan/clamdscan binary or via TCP to a remote server or local UNIX Domain socket. This is especially useful for scanning uploaded files provided by un-trusted sources.", | ||
"urg <Patrick McAndrew>", | ||
"SaltwaterC <Ștefan Rusu>" | ||
"SaltwaterC <Ștefan Rusu>", | ||
"Sjord <Sjoerd Langkemper>" | ||
], | ||
@@ -14,0 +15,0 @@ "scripts": { |
@@ -9,5 +9,5 @@ [![NPM Version][npm-version-image]][npm-url] [![NPM Downloads][npm-downloads-image]][npm-url] [![Node.js Version][node-image]][node-url] [![Build Status][travis-image]][travis-url] | ||
If you are using a version prior to 0.8.2, please upgrade! There was a security vulnerability in previous versions that allows a malicious user to execute code on your server. Specific details on how the attack could be implemented will not be disclosed here. Please update to 0.8.2 or greater ASAP. No breaking changes are included, only the security patch. | ||
If you are using a version prior to 1.2.0, please upgrade! There was a security vulnerability in previous versions that can cause false negative in some edge cases. Specific details on how the attack could be implemented will not be disclosed here. Please update to 1.2.0 or greater ASAP. No breaking changes are included, only the security patch. | ||
All other versions in NPM have been deprecated. | ||
All older versions in NPM have been deprecated. | ||
@@ -14,0 +14,0 @@ # Version 1.0.0 Information: |
@@ -14,3 +14,3 @@ const fs = require('fs'); | ||
module.exports = { | ||
const config = { | ||
remove_infected: false, // don't change | ||
@@ -23,9 +23,15 @@ quarantine_infected: __dirname + '/infected', // required for testing | ||
clamdscan: { | ||
socket: '/var/run/clamav/clamd.ctl', // required for testing (change for your system e.g. '/var/run/clamd.scan/clamd.sock') - can be set to null | ||
socket: '/var/run/clamd.scan/clamd.sock', // required for testing (change for your system e.g. '/var/run/clamd.scan/clamd.sock') - can be set to null | ||
host: '127.0.0.1', // required for testing (change for your system) - can be set to null | ||
port: 3310, // required for testing (change for your system) - can be set to null | ||
path: which('clamdscan'), // required for testing | ||
//config_file: '/etc/clamd.d/scan.conf' // set if required | ||
timeout: 1000, | ||
// config_file: '/etc/clamd.d/scan.conf' // set if required | ||
}, | ||
debug_mode: false | ||
debug_mode: false, | ||
}; | ||
// Force specific socket when on travis CI. | ||
if (process.env.CI) config.clamdscan.socket = '/var/run/clamav/clamd.ctl'; | ||
module.exports = config; |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
210745
3110
8