Skip to content
Browse files

Fix a security hole in the static directory server.

  • Loading branch information...
1 parent 8b64fad commit 472c01a20c7f7fcf49efcdd85f49b3fd9e5042d3 @creationix committed Apr 1, 2010
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/node-router.js
View
2 lib/node-router.js
@@ -311,7 +311,7 @@ exports.staticDirHandler = function(root, prefix) {
var filename = req.url.replace(/[\?|#].*$/, '');
if (prefix) filename = filename.replace(new RegExp('^'+prefix), '');
// make sure nobody can explore our local filesystem
- filename = path.join(root, filename.replace(/\.\./g, '.'));
+ filename = path.join(root, filename.replace(/\.\.+/g, '.'));
if (filename == root) filename = path.join(root, 'index.html');
loadResponseData(req, res, filename, function(headers, body, encoding) {
res.writeHead(200, headers);

0 comments on commit 472c01a

Please sign in to comment.
Something went wrong with that request. Please try again.