path: fix regression in posix.normalize by targos · Pull Request #19520 · nodejs/node

Fixes a regression introduced in [1].
The posix version of normalize should not treat backslash as a path
separator.

[1] 4ae320f2

PR-URL: #19520
Fixes: #19519
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Fixes a regression introduced in [1].
The posix version of normalize should not treat backslash as a path
separator.

[1] 4ae320f2

PR-URL: #19520
Fixes: #19519
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

Notable changes:

* cluster:
  - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
    #19165
* crypto:
  - Expose the public key of a certificate (Hannes Magnusson)
    #17690
* n-api:
  - Add `napi_fatal_exception` to trigger an `uncaughtException` in
    JavaScript (Mathias Buus)
    #19337
* path:
  - Fix regression in `posix.normalize` (Michaël Zasso)
    #19520
* stream:
  - Improve stream creation performance (Brian White)
    #19401
* Added new collaborators
  - [BethGriggs](https://github.com/BethGriggs) Beth Griggs

This is a security release. All Node.js users should consult the
security release summary at:

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160

Notable changes:

* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
  are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
  A malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP
  connections to localhost or to hosts on the local network,
  potentially to an open inspector port as a debugger, therefore
  gaining full code execution access. The inspector now only allows
  connections that have a browser `Host` value of `localhost` or
  `localhost6`.
* **Fix for `'path'` module regular expression denial of service
  (CVE-2018-7158)**: A regular expression used for parsing POSIX an
  Windows paths could be used to cause a denial of service if an
  attacker were able to have a specially crafted path string passed
  through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
  (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
  `Content-Length` header values. Such values now lead to rejected
  connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
  been added to the Node.js binary and 30 have been removed.

* cluster:
  - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
    #19165
* crypto:
  - Expose the public key of a certificate (Hannes Magnusson)
    #17690
* n-api:
  - Add `napi_fatal_exception` to trigger an `uncaughtException` in
    JavaScript (Mathias Buus)
    #19337
* path:
  - Fix regression in `posix.normalize` (Michaël Zasso)
    #19520
* stream:
  - Improve stream creation performance (Brian White)
    #19401
* Added new collaborators
  - [BethGriggs](https://github.com/BethGriggs) Beth Griggs

PR-URL: https://github.com/nodejs-private/node-private/pull/111

This is a security release. All Node.js users should consult the
security release summary at:

https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160

Notable changes:

* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
  are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
  A malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP
  connections to localhost or to hosts on the local network,
  potentially to an open inspector port as a debugger, therefore
  gaining full code execution access. The inspector now only allows
  connections that have a browser `Host` value of `localhost` or
  `localhost6`.
* **Fix for `'path'` module regular expression denial of service
  (CVE-2018-7158)**: A regular expression used for parsing POSIX an
  Windows paths could be used to cause a denial of service if an
  attacker were able to have a specially crafted path string passed
  through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
  (CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
  `Content-Length` header values. Such values now lead to rejected
  connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
  been added to the Node.js binary and 30 have been removed.

* cluster:
  - Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
    nodejs/node#19165
* crypto:
  - Expose the public key of a certificate (Hannes Magnusson)
    nodejs/node#17690
* n-api:
  - Add `napi_fatal_exception` to trigger an `uncaughtException` in
    JavaScript (Mathias Buus)
    nodejs/node#19337
* path:
  - Fix regression in `posix.normalize` (Michaël Zasso)
    nodejs/node#19520
* stream:
  - Improve stream creation performance (Brian White)
    nodejs/node#19401
* Added new collaborators
  - [BethGriggs](https://github.com/BethGriggs) Beth Griggs

PR-URL: https://github.com/nodejs-private/node-private/pull/111