A framework for building native applications using React
Use file name whitelist to prevent RCE
Summary: Use a whitelist to validate user-provided file names. This doesn't cover the entire range of valid filenames but should cover almost all of them in practice. Allows letters, numbers, periods, dashes, and underscores. Opting to use a whitelist instead of a blacklist because getting this wrong leaves us vulnerable to a RCE attack. This is the same patch I submitted to create-react-app: https://github.com/facebook/create-react-app/pull/4866 See s163726 for more details Reviewed By: LukasReschke Differential Revision: D9504148 fbshipit-source-id: e3c7587f1b7f93bec90a58a38d5f6d58f1f59275
A
Andrew Clark committed
9862a77b6af7145279ac64b031608912a51548bd
Parent: b5d908b
Committed by Facebook Github Bot <[email protected]>
on 9/4/2018, 6:32:51 PM