You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Enhanced the handling of comma-separated values in Session._clientAddress.
- Added explicit trimming of IP addresses using a map function.
- Updated validation to ensure an exact match for httpForwardedCount.
- Bumped package version from 3.1.0 to 3.1.1.
- Created a changelog to document these changes.
Thanks again for looking into and addressing the ReDoS vulnerability I previously reported regarding the _clientAddress method in livedata_server.js (originally Issue #13713).
Now that a fix has been implemented, I just had a quick question regarding tracking.
Given that this vulnerability could affect production applications where HTTP_FORWARDED_COUNT is configured, would the team consider requesting a CVE ID for this resolved issue? Having a CVE identifier would be helpful for standardized tracking and awareness within the security community.
Of course, this depends entirely on the team's assessment and security policy. I just wanted to raise the possibility for consideration.
Thanks again for your time and effort!
I think a release bump is best for a core package. It will notify everyone, especially if we recommend it, and ensure this important change is seen.ñ and applied in one update.
With minor server bumps is more tricky to get your project updated.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
italojs
changed the title
nachocodoner
changed the title
fix: https://github.com/meteor/meteor/issues/13713