Comparing version 4.4.18 to 4.4.19
@@ -526,9 +526,9 @@ 'use strict' | ||
// is any of its children. | ||
// If a symbolic link is encountered on Windows, all bets are off. | ||
// There is no reasonable way to sanitize the cache in such a way | ||
// we will be able to avoid having filesystem collisions. If this | ||
// happens with a non-symlink entry, it'll just fail to unpack, | ||
// but a symlink to a directory, using an 8.3 shortname, can evade | ||
// detection and lead to arbitrary writes to anywhere on the system. | ||
if (isWindows && entry.type === 'SymbolicLink') | ||
// If a symbolic link is encountered, all bets are off. There is no | ||
// reasonable way to sanitize the cache in such a way we will be able to | ||
// avoid having filesystem collisions. If this happens with a non-symlink | ||
// entry, it'll just fail to unpack, but a symlink to a directory, using an | ||
// 8.3 shortname or certain unicode attacks, can evade detection and lead | ||
// to arbitrary writes to anywhere on the system. | ||
if (entry.type === 'SymbolicLink') | ||
dropCache(this.dirCache) | ||
@@ -535,0 +535,0 @@ else if (entry.type !== 'Directory') |
@@ -5,3 +5,3 @@ { | ||
"description": "tar for node", | ||
"version": "4.4.18", | ||
"version": "4.4.19", | ||
"publishConfig": { | ||
@@ -8,0 +8,0 @@ "tag": "v4-legacy" |
150649