Skip to first unread message
leeand00
Aug 4, 2020, 6:23:44 PM8/4/20
to TiddlyWiki
Security Alert regarding express.js:
I would think that tiddlywiki does use this library (and about a million other projects...), so I just thought I ought to make people aware of it.
PMario
Aug 4, 2020, 7:53:19 PM8/4/20
to TiddlyWiki
Hi,
TiddlyWiki is self contained. see: https://github.com/Jermolene/TiddlyWiki5/blob/master/package.json#L26 which shows that it doesn't use any 3rd party libs by default.
TW also doesn't use express-file-upload or the EJS templating engine, because TW has its own templates.
So there isn't a problem as mentioned with the TW server commands! .....
BUT this doesn't mean that other TW server approaches (or plugins) don't use the mentioned elements.
-m
Mark S.
Aug 4, 2020, 7:58:43 PM8/4/20
to TiddlyWiki
Since it relates to file uploads, it seems like standard issue TW is probably OK. I can't think of any TW projects that do uploads except possibly tiddlyserver and Bob. But since these shouldn't be used (in general) on the open internet, that shouldn't be a problem for most people. NoteSelf might do uploading, but my scan of the code couldn't find "express" so hopefully it's OK.
TW Tones
Aug 4, 2020, 11:28:09 PM8/4/20
to TiddlyWiki
Mark,
But I would like the opportunity to configure uploads in some cases :)
Is that too much to ask?
Regards
Tony
Reply all
Reply to author
Forward
0 new messages