Re: [nodejs] Security Issue

[Alex Kocharin]

 

Not a security issue.

 

If you're checking any machine-generated data in to a version control system, you're doing it wrong. The sole existence of an unknown file in "git commit -a" should be a red flag, and the data leak isn't because of the node.js but because of the person who committed it there.

 

Besides, environment variables shouldn't be used to store anything secret, so it sounds twice like "not a security issue".

 

 

06.05.2014, 08:19, "Ritchie Young" <ritch...@gmail.com>:

As I'd mentioned previously on the mailing list, I have a security concern. I don't think that it applies to versions of NodeJS past 0.8.x but you may like to check that out.

 

Full details here:

 

http://egoless-self-promotion.blogspot.com.au/2014/05/nodejs-08x-may-leak-your-environment.html

 

TLDR: The .lock-wscript file contains a dump of your environment variables and may be inadvertently published along with your source-code.

 

Cheers

Ritchie

 

 

 

 

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com.
To post to this group, send email to nodejs@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/CAJJUJJq7Bfq_ZRS%2BcVyXHaqLhwJ4-1FTZYvt9y3-N-FfJ8cxBw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--
Job board: http://jobs.nodejs.org/
New group rules: https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups "nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nodejs+unsubscr...@googlegroups.com.
To post to this group, send email to nodejs@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/nodejs/3582361399366436%40web16m.yandex.ru.
For more options, visit https://groups.google.com/d/optout.