deps: backport f617ccc644 from uv upstream (!6392) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/MylesBorins/real-path-hardening into master Apr 26, 2016

protect against realpath(3) exploit

ref: https://github.com/isaacs/node-glob/pull/259#issuecomment-213367860

Original commit message:

unix: error on realpath if PATH_MAX is undefined

Currently when PATH_MAX is undefined realpath will default to using 4096.
There is a potential stack overflow attack that can be mitigated by having
PATH_MAX defined. This change conservatively errors if a system does not
have PATH_MAX defined.

This change also explicitly includes `limits.h` to ensure that all platforms
have PATH_MAX defined if it is available.

Ref: http://pubs.opengroup.org/onlinepubs/9699919799/functions/realpath.html

Refs: nodejs/node#2680 (comment)
PR-URL: #843
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>

Admin message

Admin message

deps: backport f617ccc644 from uv upstream

Merge request reports