Skip to content
Browse files

Fix security issue when going up the directories hierarchy

  • Loading branch information...
1 parent a6bc8d6 commit 4877231629fc58bb6fd8e0121fa2912d7c41a9be @gilad61 gilad61 committed May 29, 2012
Showing with 15 additions and 1 deletion.
  1. +15 −1 lib/staticGzip.js
View
16 lib/staticGzip.js
@@ -96,6 +96,8 @@ exports = module.exports = function staticGzip(dirPath, options){
if (!dirPath) throw new Error('You need to provide the directory to your static content.');
if (!contentTypeMatch.test) throw new Error('contentTypeMatch: must be a regular expression.');
+ dirPath = path.normalize(dirPath);
+
return function staticGzip(req, res, next){
var url, filename, contentType, acceptEncoding, charset;
@@ -134,6 +136,14 @@ exports = module.exports = function staticGzip(dirPath, options){
});
}
+ function forbidden(res) {
+ var body = 'Forbidden';
+ res.setHeader('Content-Type', 'text/plain');
+ res.setHeader('Content-Length', body.length);
+ res.statusCode = 403;
+ res.end(body);
+ };
+
if (req.method !== 'GET' && req.method !== 'HEAD') {
return next();
}
@@ -145,7 +155,11 @@ exports = module.exports = function staticGzip(dirPath, options){
return next();
}
- filename = path.join(dirPath, url.pathname.substring(prefix.length));
+ filename = path.normalize(path.join(dirPath, url.pathname.substring(prefix.length)));
+ // malicious path
+ if (0 != filename.indexOf(dirPath)){
+ return forbidden(res);
+ }
contentType = mime.lookup(filename);
charset = mime.charsets.lookup(contentType, 'UTF-8');

0 comments on commit 4877231

Please sign in to comment.
Something went wrong with that request. Please try again.