Skip to content

v1.1.2

Latest
Latest

Choose a tag to compare

View all tags
@sunnyadn sunnyadn released this 28 May 06:46
· 1 commit to main since this release
v1.1.2
e3041b2

Security

  • Fix silent acceptance of duplicate keys whose prior value is a falsy primitive (GHSA-m34p-749j-x6m6, CWE-697).

    The interpreter checked whether a key already existed with a truthy test (if (object[key])) instead of key in object. When the prior value was a falsy primitive — false, 0, 0.0, -0.0, nan, or "" — the duplicate-key branch was skipped and the value was silently overwritten by a later table, dotted-key sub-table, or array-of-tables of the same name, instead of raising a parse error as the TOML 1.0.0 spec requires. A boolean false could thus surface as a truthy object in the parsed result.

    All users on 1.1.1 or earlier are affected and should upgrade to 1.1.2.

    Reported by @CosmicCrusader23 — thank you.

Fixed

  • Reject array-of-tables headers ([[a.b]]) that descend into a statically-defined array. getOrCreateArray lacked the immutability guard that createTable already had, so such input either threw an uncaught TypeError or silently mutated the static array instead of raising SyntaxParseError.

Full changelog: v1.1.1...v1.1.2

Assets 2
Loading