This patch was also vulnerable ;)
As the regex ended with $, we could bypass it with a newline, then /../../.. + raw gist
$
/../../..
github.com/thepracticaldev/dev.to/...
This was fixed by using \A and \Z instead of ^ and $!
\A
\Z
^
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.
Auth With Twitter
Auth With GitHub
re: Pwned Together: Hacking dev.to VIEW POST
TOP OF THREAD FULL DISCUSSIONThis patch was also vulnerable ;)
As the regex ended with
$, we could bypass it with a newline, then/../../..+ raw gistgithub.com/thepracticaldev/dev.to/...
This was fixed by using
\Aand\Zinstead of^and$!