Skip to content

Commit

Permalink
[FIX] security issue on static files: don't send files not in the pub…
Browse files Browse the repository at this point in the history 
…lic directory
  • Loading branch information
@bchelli
bchelli committed Nov 27, 2012
1 parent c443e24 commit 76e7429
Showing 1 changed file with 10 additions and 5 deletions.
15 changes: 10 additions & 5 deletions initializers/initFileServer.js
View file
Expand Up @@ -13,7 +13,9 @@ var initFileServer = function(api, next){
}

api.sendFile = function(api, connection, next){
var fileName = "";
var fileName = ""
, path = require('path')
;
if((connection.params.fileName == null || typeof connection.params.fileName == "undefined") && connection.req != null){
var parsedURL = api.url.parse(connection.req.url);
var parts = parsedURL.pathname.split("/");
Expand All @@ -33,10 +35,13 @@ var initFileServer = function(api, next){
}else{
fileName = connection.params.fileName;
}
if(connection.error === null){
fileName = api.configData.general.flatFileDirectory + fileName;
api.fileServer.followFileToServe(api, fileName, connection, next);
}
// verify the access is public
fileName = path.normalize(api.configData.general.flatFileDirectory + fileName);
if(fileName.indexOf(path.normalize(api.configData.general.flatFileDirectory))===0){
if(connection.error === null){
api.fileServer.followFileToServe(api, fileName, connection, next);
}
} else api.fileServer.sendFileNotFound(api, connection, next);
};

api.fileServer.followFileToServe = function(api, fileName, connection, next){
Expand Down

0 comments on commit 76e7429

Please sign in to comment.