v2.0.3

Fixes

• Restore Node v7 compatibility (a344f66 by @PAkerstrand)

v2.0.2

This patch release fixes a security issue that allowed a malicious actor to trick the middleware into redirecting to other domains. After this patch release, the middleware will only remove a trailing slash from the path if the resulting Location-header will still redirect the user to the same domain he was originally requesting.

The vulnerability and attack vector is described in greater detail in CVE-2021-23384.

Big thank you goes out to @apple502j for discovering and disclosing this vulnerability to us.

Fixes

• only redirect for current origin (e7ce400 by @PAkerstrand)
• tests against path traversals (a22ed1b by @PAkerstrand)

v1.0.0

Initial commit