Matthew Daley found out that the
HTTP server code embedded in the Node engine has such an error (or even just a typo: using
โ size โ instead of
โ size_ โ),
due to which a specially created request to the server can be achieved if the server significantly overestimates the actual size of the request and includes the contents of neighboring foreign
HTTP requests (for example,
someone elseโs cookies will be part of the variable transmitted to the server; and if it is a variable among those that are immediately displayed on the screen, then the cracker attack can easily turn out sya successfully).
All users of Node versions 0.5.x
and 0.6.x should immediately update Node
to version 0.6.17, and owners of experimental versions
from the 0.7 branch should update them
to 0.7.8. (Versions 0.4.x do not contain this error, but if I were you, I would
update them anyway, because they are old.)
This
announcement was published in the blog Node.
')
At the same time, I recommend using this example to think in general that too close variable names are often the source of unpleasant, hard-to-find typos. If you have the variable
โ time โ in the code and you need to create another one, then try
not to call it
โ time1 โ,
not โ _time โ,
not โ dtime โ, but taking into account its meaning - in the
โ finishedTime โ
or โ deliveryTime โ ",
Or" nextTime "- even if the name turns out to be somewhat longer and more convenient than it would have been if it were a different character.
It is also clear from this example that if the project code is open and the development is conducted openly, then by the type of commit (such
as the one for versions 0.6 or that for 0.7) it is not difficult
for the thoughtful reader to guess the true strength and significance of the corrected error. Therefore, it makes no sense to hide it, but rather as soon as possible and as widely as possible to distribute among the users a rather compelling story about the need for updating.
By blogging on Habrahabr, I hope to contribute to this distribution.