adding '/' on windows to webroot causes 'access denied' #23

Closed
Babay88 opened this Issue Aug 14, 2011 · 2 comments

Projects

None yet

3 participants

@Babay88
Babay88 commented Aug 14, 2011

you should write
if (webroot[webroot.length - 1] !== '/' && webroot[webroot.length - 1] !== '') webroot = path.normalize(webroot = '/');
instead of
if (webroot[webroot.length - 1] !== '/') webroot += '/';

'couse on windows fp contains '' on that position(it's normalized) and webroot contains '/' on that position (not normalized).

@fprijate
Contributor
fprijate commented Sep 4, 2011
Here is solution: 

exports.filepath = function (webroot, url) {
   var pathSep=process.platform =='win32' ? '\\' : '/'
  // Unescape URL to prevent security holes
  url = decodeURIComponent(url);
  // Append index.html if path ends with '/'
  fp = path.normalize(path.join(webroot, (url.match(/\/$/)=='/')  ? url+'index.html' : url));
  // Sanitize input, make sure people can't use .. to get above webroot
  if (webroot[webroot.length - 1] !== pathSep) webroot += pathSep;
  if (fp.substr(0, webroot.length) != webroot)
     return(['Permission Denied', null]);
  else
     return([null, fp.replace('/',pathSep)]);
};
@mcandre
Collaborator
mcandre commented May 2, 2013

Correct me if I'm wrong, but I believe this has been taken care of.

#13 (comment)

@mcandre mcandre closed this May 2, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment