Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: sanitise and escape the pretty option #3314

Merged
merged 1 commit into from Feb 28, 2021
Merged

Conversation

@ForbesLindesay
Copy link
Member

@ForbesLindesay ForbesLindesay commented Feb 28, 2021

No description provided.

@rollingversions
Copy link

@rollingversions rollingversions bot commented Feb 28, 2021

pug (3.0.0 → 3.0.1)

Bug Fixes

  • Sanitise the pretty option

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

pug-code-gen (3.0.1 → 3.0.2)

Bug Fixes

  • Sanitise the pretty option

    If a malicious attacker could control the pretty option, it was possible for them to achieve remote code execution on the server rendering the template. All pug users should upgrade as soon as possible, see #3312 for more details.

Packages With No Changes

The following packages have no user facing changes, so won't be released:

  • pug-attrs
  • pug-error
  • pug-filters
  • pug-lexer
  • pug-linker
  • pug-load
  • pug-parser
  • pug-runtime
  • pug-strip-comments
  • pug-walk

Edit changelogs

@ForbesLindesay ForbesLindesay merged commit 991e78f into master Feb 28, 2021
4 checks passed
4 checks passed
@github-actions
test (10.x)
Details
@github-actions
test (12.x)
Details
@github-actions
test (14.x)
Details
@rollingversions
RollingVersions releasing multiple packages
Details
@ForbesLindesay ForbesLindesay deleted the fix/pp-escaping branch Feb 28, 2021
@Nixinova
Copy link

@Nixinova Nixinova commented Mar 3, 2021

Could this also be released as a 2.X patch so people with "pug":"^2" can receive it?

@bramkragten
Copy link

@bramkragten bramkragten commented Mar 3, 2021

Could this also be released as a 2.X patch so people with "pug":"^2" can receive it?

You can just upgrade pug-code-gen to 2.0.3

@Songkeys
Copy link

@Songkeys Songkeys commented Mar 4, 2021

@bramkragten

You can just upgrade pug-code-gen to 2.0.3

But pug < 3.0.1 is labelled as a vulnerability. My security system keeps arguing that I should upgrade my pug@^2 to 3.0.1.

I think we should have a branch to cut a release for 2.X or remove the vulnerability label for pug.

This was referenced Mar 7, 2021
This was referenced Mar 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants