Closed Zarel closed 3 years ago
shouldn't this be related to / fixed in the specific Node runtime in use?
It looks like this is new in Node.js v10:
https://alexatnet.com/node-js-10-important-changes/#fs-2
In previous Node versions, it would be passed as an error to the fs.stat
callback, so it would respond with a 404:
fs.stat(pathname, function (e, stat) {
if (e) {
finish(404, {});
But in Node 10 and later, fs.stat
instead synchronously throws an error.
https://github.com/nodejs/node/pull/18308
is the change in Node.js that led to this regression.
This is a serious security issue. What is the state of this PR ?
Why is this still not closed? 🤔
Closing as #227 avoids need for this PR.
A pathname containing
U+0000 NULL
will crashfs.stat
with the error message "TypeError [ERR_INVALID_ARG_VALUE]: The argument 'path' must be a string or Uint8Array without null bytes."This commit prevents node-static from crashing.