Comparing version 6.1.9 to 6.1.10
@@ -553,9 +553,9 @@ 'use strict' | ||
// is any of its children. | ||
// If a symbolic link is encountered on Windows, all bets are off. | ||
// There is no reasonable way to sanitize the cache in such a way | ||
// we will be able to avoid having filesystem collisions. If this | ||
// happens with a non-symlink entry, it'll just fail to unpack, | ||
// but a symlink to a directory, using an 8.3 shortname, can evade | ||
// detection and lead to arbitrary writes to anywhere on the system. | ||
if (isWindows && entry.type === 'SymbolicLink') | ||
// If a symbolic link is encountered, all bets are off. There is no | ||
// reasonable way to sanitize the cache in such a way we will be able to | ||
// avoid having filesystem collisions. If this happens with a non-symlink | ||
// entry, it'll just fail to unpack, but a symlink to a directory, using an | ||
// 8.3 shortname or certain unicode attacks, can evade detection and lead | ||
// to arbitrary writes to anywhere on the system. | ||
if (entry.type === 'SymbolicLink') | ||
dropCache(this.dirCache) | ||
@@ -562,0 +562,0 @@ else if (entry.type !== 'Directory') |
@@ -5,3 +5,3 @@ { | ||
"description": "tar for node", | ||
"version": "6.1.9", | ||
"version": "6.1.10", | ||
"repository": { | ||
@@ -8,0 +8,0 @@ "type": "git", |
160375