Fixed: path traversal attack

2013-07-20 00:27:21 +04:00 · 2013-07-20 00:27:21 +04:00 · deb0231b7f
parent 383525fd9f
commit deb0231b7f
1 changed files with 7 additions and 1 deletions
--- a/server.js
+++ b/server.js
@ -1,3 +1,4 @@
+var path = require("path");
 var express = require("express");
 var Config = require("./config");
 var Logger = require("./logger");
@ -89,7 +90,12 @@ var Server = {

        // default path
        this.app.get("/:thing(*)", function (req, res, next) {
-            res.sendfile(__dirname + "/www/" + req.params.thing);
+            var root = __dirname + "/www/",
+                answer = path.resolve (__dirname + "/www/", req.params.thing);
+            if (answer.indexOf (root) != 0)
+                res.send (404);
+            else
+                res.sendfile(__dirname + "/www/" + req.params.thing);
        });

        // fallback