v0.4.6
NOTICE
This version patches a directory-traversal security vulnerability that exists indevmode only. All users should update immediately, even if they don't think they're using--devoropts.devon live servers. There are no other changes in this release.
Patches
-
Fixes
devmode security vulnerability (#63): 1e0bac5
Thank you @marvinhagemeister~!As Marvin describes:
This allows an attacker to traverse the file system outside of the specified directory.
Let's say
sirvwas initialized to serve files from /foo/bar:sirv("/foo/bar");
...and an attacker makes a request to:
GET /../../etc/passwd...then they are able to download the contents of that file.