new Buffer() 背后的确切安全问题
The exact security issue behind new Buffer()
现在大家都知道在最新的 Node 版本中不推荐使用 Buffer 构造函数。
var buff = new Buffer(); // Deprecation warning!!
警告说构造函数存在安全问题。我试图找出此警告背后的确切安全问题,但失败了。
这背后的确切安全问题是什么?
If an attacker can make your program call the Buffer constructor
with a Number argument, then they can make it allocate uninitialized
memory from the node.js process. This could potentially disclose TLS
private keys, user data, or database passwords.
When the Buffer constructor is passed a Number argument, it
returns an UNINITIALIZED block of memory of the specified size.
...
现在大家都知道在最新的 Node 版本中不推荐使用 Buffer 构造函数。
var buff = new Buffer(); // Deprecation warning!!
警告说构造函数存在安全问题。我试图找出此警告背后的确切安全问题,但失败了。
这背后的确切安全问题是什么?
If an attacker can make your program call the
Bufferconstructor with aNumberargument, then they can make it allocate uninitialized memory from the node.js process. This could potentially disclose TLS private keys, user data, or database passwords.When the
Bufferconstructor is passed aNumberargument, it returns an UNINITIALIZED block of memory of the specified size. ...