New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect to external website #26
Comments
|
Great, I'll fix this as soon as I get home. The caveat is that you need to mount this middleware at the root. |
|
Hi @pierre-elie ! If you have the time and are willing, I would love it if you could verify the fix that is currently on |
|
I went ahead and published it as 1.7.2, but I would still love to hear your assessment on the change as well :) |
|
Hey, thanks a lot for the fast change! |
|
The reason I didn't use |
|
P.S., if you haven't done so already, please feel free to report this to https://nodesecurity.io/ , where the affected versions are all |
|
Right. Looks good to me then! Thanks again :) |
|
And thank you soo much for bringing this to me attention :)! Go community! |
|
Reported by a researcher from https://bugcrowd.com/ |
|
Hey guys, this exact bug has existed in Python's SimpleHTTPServer since 2006. Feel free to attack them for it :) |
Stumbled upon a weird behavior where
serve-staticwould redirect to an external website when "asked nicely".Reproduction Steps
Using
express 4.10.6andstatic-serve 1.7.1onnode 0.10.33.1. Simple
app.js2. Start server
3. Open in Firefox
http://localhost//www.google.com/%2e%2eRequest
Response
4. You get redirected to Google...
It works in Firefox, Safari and probably IE, not in Chrome.
Setting
static-serve’s optionredirect: falseseems to fix it (butredirect: trueis the default).It looks like many applications could be affected.
A quick test on apps listed on http://expressjs.com/resources/applications.html does not disappoint:
sendemitsdirectoryin that case, which triggers the redirection.The text was updated successfully, but these errors were encountered: