moon
/
sync
mirror of https://github.com/calzoneman/sync.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed: path traversal attack

This commit is contained in:
gro-ove 2013-07-20 00:27:21 +04:00
parent 383525fd9f
commit deb0231b7f
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
server.js
View File

@ -1,3 +1,4 @@
var path = require("path");
var express = require("express"); var express = require("express");
var Config = require("./config"); var Config = require("./config");
var Logger = require("./logger"); var Logger = require("./logger");
@ -89,7 +90,12 @@ var Server = {
// default path // default path
this.app.get("/:thing(*)", function (req, res, next) { this.app.get("/:thing(*)", function (req, res, next) {
res.sendfile(__dirname + "/www/" + req.params.thing); var root = __dirname + "/www/",
answer = path.resolve (__dirname + "/www/", req.params.thing);
if (answer.indexOf (root) != 0)
res.send (404);
else
res.sendfile(__dirname + "/www/" + req.params.thing);
}); });
// fallback // fallback