diff --git a/CHANGELOG.md b/CHANGELOG.md index 9912deb..8fdc899 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -77,6 +77,7 @@ For major (breaking) changes - **version 4, 3 and 2** - see end of page. | Version | Date | Comment | | -------------- | -------------- | -------- | +| 5.6.7 | 2021-03-16 | `inetLatency()` `ineChecksite()` schema validation | | 5.6.6 | 2021-03-16 | code refactoring | | 5.6.5 | 2021-03-15 | `cpuTemperature()` fix (linux) | | 5.6.4 | 2021-03-15 | `sanitizeShellString()` and other security improvements | diff --git a/docs/history.html b/docs/history.html index a5fd53c..702e07c 100644 --- a/docs/history.html +++ b/docs/history.html @@ -56,6 +56,11 @@ + + 5.6.8 + 2021-03-16 + inetLatency() inetChecksite() schema avlidation + 5.6.6 2021-03-16 diff --git a/docs/index.html b/docs/index.html index ac465fb..7c6f89f 100644 --- a/docs/index.html +++ b/docs/index.html @@ -170,7 +170,7 @@
systeminformation
 
-
New Version: 5.6.6
+
New Version: 5.6.7
diff --git a/docs/security.html b/docs/security.html index 3eeb8a8..590c081 100644 --- a/docs/security.html +++ b/docs/security.html @@ -43,6 +43,9 @@
Security Advisories
+

Passing User Paramters to Systeminformation

+

Be aware to not use inetLatency(), inetChecksite(), services(), processLoad() with arbitrary untrusted user input! We are doing a lot of input sanitation for those functions in this package but we cannot handle all cases!

+

Command Injection Vulnerability

Affected versions: < 5.6.4 and < 4.34.17
diff --git a/docs/v4/history.html b/docs/v4/history.html index 55aa575..2aedaf7 100644 --- a/docs/v4/history.html +++ b/docs/v4/history.html @@ -83,6 +83,16 @@ + + 4.34.19 + 2021-03-16 + inetLatency() inetChecksite() schema avlidation + + + 4.34.18 + 2021-03-16 + code refactoring + 4.34.17 2021-03-14 diff --git a/docs/v4/index.html b/docs/v4/index.html index 2b08555..9bedc4b 100644 --- a/docs/v4/index.html +++ b/docs/v4/index.html @@ -170,7 +170,7 @@

systeminformation
 
Version 4 documentation
-
Current Version: 4.34.17
+
Current Version: 4.34.19
diff --git a/docs/v4/security.html b/docs/v4/security.html index 3907e78..d7e8db4 100644 --- a/docs/v4/security.html +++ b/docs/v4/security.html @@ -42,6 +42,9 @@
Security Advisories
+

Passing User Paramters to Systeminformation

+

Be aware to not use inetLatency(), inetChecksite(), services(), processLoad() with arbitrary untrusted user input! We are doing a lot of input sanitation for those functions in this package but we cannot handle all cases!

+

Command Injection Vulnerability

Affected versions: < 4.34.17
diff --git a/lib/internet.js b/lib/internet.js index 23e6d6f..cc996e1 100644 --- a/lib/internet.js +++ b/lib/internet.js @@ -58,7 +58,7 @@ function inetChecksite(url, callback) { try { if (urlSanitized && !util.isPrototypePolluted()) { urlSanitized.__proto__.startsWith = util.stringStartWith; - if (urlSanitized.startsWith('file:')) { + if (urlSanitized.startsWith('file:') || urlSanitized.startsWith('gopher:') || urlSanitized.startsWith('telnet:') || urlSanitized.startsWith('mailto:') || urlSanitized.startsWith('news:') || urlSanitized.startsWith('nntp:')) { if (callback) { callback(result); } return resolve(result); } @@ -153,7 +153,7 @@ function inetLatency(host, callback) { } } hostSanitized.__proto__.startsWith = util.stringStartWith; - if (hostSanitized.startsWith('file:')) { + if (hostSanitized.startsWith('file:') || hostSanitized.startsWith('gopher:') || hostSanitized.startsWith('telnet:') || hostSanitized.startsWith('mailto:') || hostSanitized.startsWith('news:') || hostSanitized.startsWith('nntp:')) { if (callback) { callback(null); } return resolve(null); }