为什么新版本的node不从请求正文中删除__proto__? [英] Why don't newer versions of node remove __proto__ from request body?
问题描述
当我向快递服务器发送PUT请求时,req.body有时具有__proto__属性,而其他时候则没有.
When I send a PUT request to my express server, req.body sometimes has a __proto__ property, and other times not.
使用节点0.10.26并表示3.2.3 :
- 当我放入
{"a":"b", "__proto__": {}}时, - 然后
req.body是{"a":"b"}
- When I put
{"a":"b", "__proto__": {}}, - Then
req.bodyis{"a":"b"}
使用节点4.1.0并表示3.2.3 :
- 当我放入
{"a":"b", "__proto__": {}}时, - 然后
req.body是{"a":"b", "__proto__": {}}
- When I put
{"a":"b", "__proto__": {}}, - Then
req.bodyis{"a":"b", "__proto__": {}}
因此,较新版本的节点不会删除__proto__属性.我实际上很喜欢这种行为.现在,我必须编写自己的中间件来剥夺财产.我认为这与bodyparser有关.奇怪的是,两个测试都具有相同版本的express(因此具有相同版本的bodyparser).
So newer versions of node do not strip the __proto__ property. I actually liked this behaviour; now I have to write my own middleware which strips away the property. I think this has something to do with bodyparser. The weird thing is, though, that both tests have the same version of express (and hence the same version of bodyparser).
任何人都可以对为什么更改此内容有任何动机吗?解决此问题的推荐方法是什么?
Can anyone give any motivation as to why this was changed? What is the recommended way of resolving this?
推荐答案
表达和节点都不对此行为负责.实际上,出于兼容性和规范一致性,在 V8 中,这实际上已经改变了很长时间.
Neither express nor node are responsible for this behavior. This has actually been changed a long time ago in V8, for compatibility and spec conformance.
-
旧行为(剥夺了
__proto__):
> var x = JSON.parse('{"__proto__":[]}');
> x.hasOwnProperty('__proto__');
false
新行为(未剥离__proto__):
> var x = JSON.parse('{"__proto__":[]}');
> x.hasOwnProperty('__proto__');
true
来源:
- https://code.google.com/p/chromium /issues/detail?id = 115055
- https://code.google.com/p/v8 /issues/detail?id = 1310
- https://code.google.com/p/chromium/issues/detail?id=115055
- https://code.google.com/p/v8/issues/detail?id=1310
就像您说的那样,您可以编写一个简单的中间件来自己剥离属性:
Like you said, you can write a simple middleware to strip the property yourself:
function stripProto(req, res, next) {
delete req.body.__proto__;
next();
}
// ...
app.use(stripProto);
这篇关于为什么新版本的node不从请求正文中删除__proto__?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
