diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4a7fade7..82612333 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,16 @@
 #CHANGELOG
 
+## v2.4.2
+
+Issue [#48](https://github.com/qiniu/nodejs-sdk/pull/48):
+
+- 去除 auth.GetPolicy.scope 的默认值："*/*"
+
+Issue [#46](https://github.com/qiniu/nodejs-sdk/pull/46):
+
+- 更新 v2.4.1 的文档(docs/README.md)
+
+
 ## v2.4.1
 
 2013-02-09
diff --git a/lib/auth.js b/lib/auth.js
index 1939e119..84f33c55 100644
--- a/lib/auth.js
+++ b/lib/auth.js
@@ -47,8 +47,7 @@ function PutPolicy(opts) {
 
 PutPolicy.prototype.token = function() {
   var params = {
-    "deadline": this.expires + Math.floor(Date.now() / 1000),
-    "escape": this.excape,
+    "deadline": this.expires + Math.floor(Date.now() / 1000)
   };
   if (this.scope !== null) {
     params["scope"] = this.scope;
@@ -65,6 +64,9 @@ PutPolicy.prototype.token = function() {
   if (this.asyncOps !== null) {
     params["asyncOps"] = this.asyncOps;
   }
+  if (this.escape) {
+    params["escape"] = this.excape;
+  }
   return generateToken(params);
 };
 
@@ -73,7 +75,7 @@ PutPolicy.prototype.token = function() {
 
 function GetPolicy(opts) {
   this.expires = opts.expires || 3600;
-  this.scope = opts.scope || "*/*";
+  this.scope = opts.scope; // GetPolicy.scope 没有默认值：用 "*/*" 访问权限太高！
 }
 
 GetPolicy.prototype.token = function() {