Use file name whitelist to prevent RCE
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: https://github.com/facebook/create-react-app/pull/4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
This commit is contained in:
Родитель
b5d908bc73
Коммит
9862a77b6a
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
Загрузка…
Ссылка в новой задаче