Permalink
Browse files

fix vulnerability when pathname starts with a '.'

  • Loading branch information...
1 parent f697b74 commit c49e37262c5e999f588d57343405d09e8d602c81 @cloudhead committed Aug 9, 2011
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/node-static.js
View
@@ -134,7 +134,7 @@ this.Server.prototype.servePath = function (pathname, status, headers, req, res,
// Make sure we're not trying to access a
// file outside of the root.
- if (new(RegExp)('^' + that.root).test(pathname)) {
+ if (pathname.indexOf(that.root) === 0) {
fs.stat(pathname, function (e, stat) {
if (e) {
finish(404, {});

1 comment on commit c49e372

Contributor

cimnine commented on c49e372 Aug 11, 2011

This is a bad fix, even your example file-server does not run anymore.
The best would probably be to path.resolve(pathname).indexOf(path.resolve(that.root)) === 0 or similar.
If this works, don't forget to cache path.resolve(that.root) somewhere.

Please sign in to comment.