Merge branch 'master' of https://github.com/gilad61/gzippo

apiaryio · Jun 20, 2012 · a708d94 · a708d94
2 parents 90cc076 + 4877231
commit a708d94
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/lib/staticGzip.js b/lib/staticGzip.js
@@ -96,6 +96,8 @@ exports = module.exports = function staticGzip(dirPath, options){
 	if (!dirPath) throw new Error('You need to provide the directory to your static content.');
 	if (!contentTypeMatch.test) throw new Error('contentTypeMatch: must be a regular expression.');
 
+  dirPath = path.normalize(dirPath);
+
   return function staticGzip(req, res, next){
 		var url, filename, contentType, acceptEncoding, charset;
 
@@ -134,6 +136,14 @@ exports = module.exports = function staticGzip(dirPath, options){
 			});
 		}
 
+    function forbidden(res) {
+      var body = 'Forbidden';
+      res.setHeader('Content-Type', 'text/plain');
+      res.setHeader('Content-Length', body.length);
+      res.statusCode = 403;
+      res.end(body);
+    };
+
 		if (req.method !== 'GET' && req.method !== 'HEAD') {
 			return next();
 		}
@@ -145,7 +155,11 @@ exports = module.exports = function staticGzip(dirPath, options){
 			return next();
 		}
 
-		filename = path.join(dirPath, url.pathname.substring(prefix.length));
+    filename = path.normalize(path.join(dirPath, url.pathname.substring(prefix.length)));
+    // malicious path
+    if (0 != filename.indexOf(dirPath)){
+      return forbidden(res);
+    }
 
 		contentType = mime.lookup(filename);
 		charset = mime.charsets.lookup(contentType, 'UTF-8');