Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix uppercase hex strings validating as safe #10

Merged
merged 1 commit into from Apr 28, 2019

Conversation

@Zegnat
Copy link
Contributor

Zegnat commented Apr 28, 2019

JSON treats \u005f and \u005F as equals, but the string validation looking for __proto__ ignored the uppercase variant. This lets people trivially bypass the validation imposed by Bourne.

h/t @sknebel for showing me this library.

@hueniverse hueniverse self-assigned this Apr 28, 2019
@hueniverse hueniverse added this to the 1.3.1 milestone Apr 28, 2019
@hueniverse hueniverse reopened this Apr 28, 2019
@hueniverse hueniverse removed this from the 1.3.1 milestone Apr 28, 2019
@hueniverse hueniverse merged commit cb7772c into hapijs:master Apr 28, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@hueniverse hueniverse added this to the 1.3.2 milestone Apr 28, 2019
@hueniverse

This comment has been minimized.

Copy link
Member

hueniverse commented Apr 28, 2019

Thanks!

hueniverse added a commit that referenced this pull request Apr 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.