This package appears to have a TOCTOU bug, which can trick it into
descending into unintended trees if a non-symlink is replaced by a
symlink at a critical moment:
fs.lstat(pathChild, function(er, stats) {
if (er)
return cb(er)
if (!stats.isSymbolicLink())
Package: wnpp
Severity: wishlist
Owner: hacksk
X-Debbugs-CC: debian-de...@lists.debian.org
* Package name: node-chownr
Version : 1.0.1
Upstream Author : Isaac Z. Schlueter (http://blog.izs.me/)
* URL : https://github.com/isaacs/chownr#readme
* License : ISC
2 matches
Mail list logo
