Merge pull request #223 from gro-ove/master

Fixed: path traversal attack
This commit is contained in:
Calvin Montgomery 2013-07-19 14:33:37 -07:00
commit a25b2fdadf
1 changed files with 7 additions and 1 deletions

View File

@ -1,3 +1,4 @@
var path = require("path");
var express = require("express");
var Config = require("./config");
var Logger = require("./logger");
@ -89,7 +90,12 @@ var Server = {
// default path
this.app.get("/:thing(*)", function (req, res, next) {
res.sendfile(__dirname + "/www/" + req.params.thing);
var root = __dirname + "/www/",
answer = path.resolve (__dirname + "/www/", req.params.thing);
if (answer.indexOf (root) != 0)
res.send (404);
else
res.sendfile(__dirname + "/www/" + req.params.thing);
});
// fallback