Skip to content
This repository has been archived by the owner on Nov 5, 2018. It is now read-only.
This repository has been archived by the owner on Nov 5, 2018. It is now read-only.

doc_name is not encoded when used to build url for update. #158

Closed
ozomer opened this issue Oct 25, 2013 · 1 comment
Closed

doc_name is not encoded when used to build url for update. #158

ozomer opened this issue Oct 25, 2013 · 1 comment

Comments

@ozomer
Copy link

ozomer commented Oct 25, 2013

See:
https://github.com/dscape/nano/blob/master/nano.js#L841

I suggest to wrap it with encodeURIComponent(doc_name).
This is relevant, for example, when the document ids contain slashes.

This may even be a security issue if the user has a limited access to a service that calls updates, and he tells the service to update a document with id that begin with "../../" (I'm not sure if this will actually work and make the service call other DB functions).
@dscape
Copy link
Contributor

dscape commented Oct 25, 2013

Can you re-open sending a pull request including tests.

Thank you :)

@ozomer ozomer closed this as completed Oct 25, 2013
dscape added a commit that referenced this issue Nov 11, 2013
@dscape
Fixes #158
9095b14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dscape @ozomer