linux implementation can read arbitrary files

[mlc]

node-macaddress/lib/linux.js

Line 4 in 63b9f87

execFile("cat", ["/sys/class/net/" + iface + "/address"], function (err, out) {

By prepending ../../.. to the "interface" name, this line of code can be asked read a file from anywhere on the filesystem as long as that file is named address.

It is also a little bit strange to run cat to read a file rather than just using the node fs module, but patching only that will not solve the security problem.

[scravy]

There used to be a very old and ancient version of node which for whatever reason did not read the contents of textfiles in /sys properly, which is why cat was used.

The name of the interface could well be sanitized.

Do you mind opening a pull request?

[scravy]

Has been fixed and released in v0.4.3

[mlc]

thanks, @scravy!