From deb0231b7f018d9bdebb952190f766111478d90d Mon Sep 17 00:00:00 2001 From: gro-ove Date: Sat, 20 Jul 2013 00:27:21 +0400 Subject: [PATCH] Fixed: path traversal attack --- server.js | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/server.js b/server.js index 315b9554..f832b34a 100644 --- a/server.js +++ b/server.js @@ -1,3 +1,4 @@ +var path = require("path"); var express = require("express"); var Config = require("./config"); var Logger = require("./logger"); @@ -89,7 +90,12 @@ var Server = { // default path this.app.get("/:thing(*)", function (req, res, next) { - res.sendfile(__dirname + "/www/" + req.params.thing); + var root = __dirname + "/www/", + answer = path.resolve (__dirname + "/www/", req.params.thing); + if (answer.indexOf (root) != 0) + res.send (404); + else + res.sendfile(__dirname + "/www/" + req.params.thing); }); // fallback