From 76e7429633de6df5078f2d3f0e2550bc755d7bb1 Mon Sep 17 00:00:00 2001
From: Benjamin Chelli <benjamin@chelli.net>
Date: Tue, 27 Nov 2012 15:43:58 +0100
Subject: [PATCH] [FIX] security issue on static files: don't send files not in
 the public directory

---
 initializers/initFileServer.js | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/initializers/initFileServer.js b/initializers/initFileServer.js
index 87ff98133..ebba5204a 100644
--- a/initializers/initFileServer.js
+++ b/initializers/initFileServer.js
@@ -13,7 +13,9 @@ var initFileServer = function(api, next){
 	}
 
 	api.sendFile = function(api, connection, next){
-		var fileName = "";
+		var fileName = ""
+			,	path = require('path')
+			;
 		if((connection.params.fileName == null || typeof connection.params.fileName == "undefined") && connection.req != null){
 			var parsedURL = api.url.parse(connection.req.url);
 			var parts = parsedURL.pathname.split("/");
@@ -33,10 +35,13 @@ var initFileServer = function(api, next){
 		}else{
 			fileName = connection.params.fileName;
 		}
-		if(connection.error === null){
-			fileName = api.configData.general.flatFileDirectory + fileName;
-			api.fileServer.followFileToServe(api, fileName, connection, next);
-		}
+		// verify the access is public
+		fileName = path.normalize(api.configData.general.flatFileDirectory + fileName);
+		if(fileName.indexOf(path.normalize(api.configData.general.flatFileDirectory))===0){
+			if(connection.error === null){
+				api.fileServer.followFileToServe(api, fileName, connection, next);
+			}
+		} else api.fileServer.sendFileNotFound(api, connection, next);
 	};
 
 	api.fileServer.followFileToServe = function(api, fileName, connection, next){