examples: defend from privilege elevation #4120

KoyamaSohei · 2019-12-10T19:22:27Z

dougwilson · 2020-06-03T06:55:45Z

So I noticed the fix for this was to switch from res.download to attachment + sendFile. That does indeed work, but I think it exposes that the res.download API doesn't actually make it easy to use it i. This way, which I think we should actually improve/fix in some way.

closes #4120

dougwilson · 2022-02-08T22:45:36Z

Ok, Sorry for the delay. I dug in to this today and so what I found was that this was an oversight when the full options support was added to res.download -- this is a bug it'll be fixed such that the root option is honored when supplied. This bug fix will land in the next minor, 4.18, since it's a bit more risky of a fix depending on what folks are passing in. I updated the example to resolve the path to absolute and still use res.download, as I looked in to it and this example's purpose was to demo res.download among other APIs, so this'll land now.

closes expressjs#4120

KoyamaSohei changed the title ~~examples: defend privilege elevation~~ examples: defend from privilege elevation Dec 13, 2019

dougwilson added pr examples labels Jan 28, 2020

dougwilson self-assigned this Mar 25, 2020

dougwilson force-pushed the master branch from c0e5dc1 to 6660649 Compare December 16, 2021 03:36

dougwilson force-pushed the master branch from 2295290 to a84e73b Compare February 2, 2022 06:42

examples: fix path traversal in downloads example

82de4de

closes #4120

dougwilson approved these changes Feb 8, 2022

View reviewed changes

dougwilson closed this in 82de4de Feb 8, 2022

dougwilson merged commit 82de4de into expressjs:master Feb 8, 2022

himanshiLt pushed a commit to himanshiLt/express that referenced this pull request Jun 20, 2022

examples: fix path traversal in downloads example

a2a1155

closes expressjs#4120

sync-by-unito bot mentioned this pull request Jun 2, 2024

Bump express from 5.0.0-alpha.8 to 5.0.0-beta.3 ForumMagnum/ForumMagnum#8983

Closed

This was referenced Oct 28, 2024

[Snyk] Upgrade express from 4.21.1 to 5.0.0 nerdy-tech-com-gitub/images#2

Open

[Snyk] Upgrade express from 4.21.1 to 5.0.0 nerdy-tech-com-gitub/chroma#15

Open

[Snyk] Upgrade express from 4.21.1 to 5.0.0 nerdy-tech-com-gitub/images#8

Open

EchoSkorJjj mentioned this pull request Oct 29, 2024

[Snyk] Upgrade express from 4.18.2 to 5.0.0 EchoSkorJjj/UI#277

Open

This was referenced Oct 30, 2024

[Snyk] Upgrade express from 4.21.1 to 5.0.0 SherfeyInv/images#3

Open

[Snyk] Upgrade express from 4.21.1 to 5.0.0 SherfeyInv/images#4

Open

Gabo-Tech mentioned this pull request Nov 3, 2024

[Snyk] Upgrade express from 4.16.3 to 5.0.0 Gabo-Tech/toDoList#316

Open

EchoSkorJjj mentioned this pull request Nov 5, 2024

[Snyk] Upgrade express from 4.18.2 to 5.0.0 EchoSkorJjj/UI#278

Open

snyk-io bot mentioned this pull request Nov 10, 2024

[Snyk] Upgrade express from 4.21.1 to 5.0.0 doperiddle/bch-rpc-explorer#11

Open

doperiddle mentioned this pull request Nov 10, 2024

[Snyk] Upgrade express from 4.17.1 to 5.0.0 doperiddle/paystring#5

Merged

Gabo-Tech mentioned this pull request Nov 10, 2024

[Snyk] Upgrade express from 4.16.3 to 5.0.0 Gabo-Tech/toDoList#318

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

examples: defend from privilege elevation #4120

examples: defend from privilege elevation #4120

KoyamaSohei commented Dec 10, 2019

dougwilson commented Jun 3, 2020

dougwilson commented Feb 8, 2022

examples: defend from privilege elevation #4120

examples: defend from privilege elevation #4120

Conversation

KoyamaSohei commented Dec 10, 2019

dougwilson commented Jun 3, 2020

dougwilson commented Feb 8, 2022