Permalink
Browse files

dont allow directory traversal

  • Loading branch information...
JohnMcLear committed Apr 10, 2015
1 parent 7b86eb0 commit 9d4e5f6e35153129377206ef545d4965afae627d
Showing with 0 additions and 1 deletion.
  1. +0 −1 src/node/utils/Minify.js
@@ -145,7 +145,6 @@ function minify(req, res, next)
filename = path.normalize(path.join(ROOT_DIR, filename));
if (filename.indexOf(ROOT_DIR) == 0) {
filename = filename.slice(ROOT_DIR.length);
filename = filename.replace(/\\/g, '/'); // Windows (safe generally?)
} else {
res.writeHead(404, {});
res.end();

4 comments on commit 9d4e5f6

@fgeek

This comment has been minimized.

fgeek replied Apr 11, 2015

Please use CVE-2015-3297 for this vulnerability.

@0x46616c6b

This comment has been minimized.

Contributor

0x46616c6b replied Apr 12, 2015

same in Minify.js:168

@JohnMcLear

This comment has been minimized.

Member

JohnMcLear replied Apr 12, 2015

Merged fix for Minify.js:168

@JohnMcLear

This comment has been minimized.

Member

JohnMcLear replied Apr 15, 2015

FWIW this broke the Windows(hosted) version of Etherpad...

Please sign in to comment.