Skip to content

Commit

Permalink
Fix a security hole in the static directory server.
Browse files Browse the repository at this point in the history
  • Loading branch information
@creationix
creationix committed Apr 2, 2010
1 parent 8b64fad commit 472c01a
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/node-router.js
View file
Expand Up @@ -311,7 +311,7 @@ exports.staticDirHandler = function(root, prefix) {
var filename = req.url.replace(/[\?|#].*$/, ''); var filename = req.url.replace(/[\?|#].*$/, '');
if (prefix) filename = filename.replace(new RegExp('^'+prefix), ''); if (prefix) filename = filename.replace(new RegExp('^'+prefix), '');
// make sure nobody can explore our local filesystem // make sure nobody can explore our local filesystem
filename = path.join(root, filename.replace(/\.\./g, '.')); filename = path.join(root, filename.replace(/\.\.+/g, '.'));
if (filename == root) filename = path.join(root, 'index.html'); if (filename == root) filename = path.join(root, 'index.html');
loadResponseData(req, res, filename, function(headers, body, encoding) { loadResponseData(req, res, filename, function(headers, body, encoding) {
res.writeHead(200, headers); res.writeHead(200, headers);
Expand Down

0 comments on commit 472c01a

Please sign in to comment.