[Fix] do not override array methods/properties (CVE-2021-44907)

ljharb / qs

A querystring parser with nesting support

BSD 3-Clause "New" or "Revised" License

8.5k stars 729 forks source link

[Fix] do not override array methods/properties (CVE-2021-44907) #440

Closed lscoder closed 2 years ago

lscoder commented 2 years ago

This is a fix for CVE-2021-44907. Any property from source object that already exists in Array.prototype is ignored.

ljharb commented 2 years ago

See #436 - this CVE is INVALID. It is not a vulnerability, whatsoever.

ljharb commented 2 years ago

In the future, please do not submit an unsolicited PR until you're sure the maintainer wants it. This PR's git ref is now permanent pollution on my repo.