Skip to content

Commit

Permalink
dont allow directory traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
@JohnMcLear
JohnMcLear committed Apr 10, 2015
1 parent 7b86eb0 commit 9d4e5f6
Showing 1 changed file with 0 additions and 1 deletion.
1 change: 0 additions & 1 deletion src/node/utils/Minify.js
View file
Expand Up @@ -145,7 +145,6 @@ function minify(req, res, next)
filename = path.normalize(path.join(ROOT_DIR, filename));
if (filename.indexOf(ROOT_DIR) == 0) {
filename = filename.slice(ROOT_DIR.length);
filename = filename.replace(/\\/g, '/'); // Windows (safe generally?)
} else {
res.writeHead(404, {});
res.end();
Expand Down

4 comments on commit 9d4e5f6

@fgeek
Copy link

@fgeek fgeek commented on 9d4e5f6 Apr 11, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use CVE-2015-3297 for this vulnerability.

@0x46616c6b
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same in Minify.js:168

@JohnMcLear
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merged fix for Minify.js:168

@JohnMcLear
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW this broke the Windows(hosted) version of Etherpad...

Please sign in to comment.