Permalink
Browse files

dont allow directory traversal

  • Loading branch information...
JohnMcLear committed Apr 10, 2015
1 parent 7b86eb0 commit 9d4e5f6e35153129377206ef545d4965afae627d
Showing with 0 additions and 1 deletion.
  1. +0 −1 src/node/utils/Minify.js
View
@@ -145,7 +145,6 @@ function minify(req, res, next)
filename = path.normalize(path.join(ROOT_DIR, filename));
if (filename.indexOf(ROOT_DIR) == 0) {
filename = filename.slice(ROOT_DIR.length);
- filename = filename.replace(/\\/g, '/'); // Windows (safe generally?)
} else {
res.writeHead(404, {});
res.end();

4 comments on commit 9d4e5f6

@fgeek

This comment has been minimized.

Show comment
Hide comment
@fgeek

fgeek Apr 11, 2015

Please use CVE-2015-3297 for this vulnerability.

Please use CVE-2015-3297 for this vulnerability.

@0x46616c6b

This comment has been minimized.

Show comment
Hide comment
@0x46616c6b

0x46616c6b Apr 12, 2015

Contributor

same in Minify.js:168

Contributor

0x46616c6b replied Apr 12, 2015

same in Minify.js:168

@JohnMcLear

This comment has been minimized.

Show comment
Hide comment
@JohnMcLear

JohnMcLear Apr 12, 2015

Member

Merged fix for Minify.js:168

Member

JohnMcLear replied Apr 12, 2015

Merged fix for Minify.js:168

@JohnMcLear

This comment has been minimized.

Show comment
Hide comment
@JohnMcLear

JohnMcLear Apr 15, 2015

Member

FWIW this broke the Windows(hosted) version of Etherpad...

Member

JohnMcLear replied Apr 15, 2015

FWIW this broke the Windows(hosted) version of Etherpad...

Please sign in to comment.