Don't allow files in hidden directories to be served (backported)

lib/directory.js

@@ -229,7 +229,7 @@ internals.generateListing = function (path, resource, selection, hasTrailingSlas
 
 internals.isFileHidden = function (path) {
 
-    return /^\./.test(Path.basename(path));
+    return /(^|[\\\/])\.([^\\\/]|[\\\/]?$)/.test(path);           // Starts with a '.' or contains '/.' or '\.', and not followed by a '/' or '\' or end
 };
 
 

package.json

@@ -1,7 +1,7 @@
 {
   "name": "inert",
   "description": "Static file and directory handlers for hapi.js",
-  "version": "1.1.0",
+  "version": "1.1.1",
   "repository": "git://github.com/hapijs/inert",
   "main": "index",
   "keywords": [

test/directory.js

@@ -274,7 +274,7 @@ describe('handler()', function () {
         });
     });
 
-    it('returns the index when found in hidden folder', function (done) {
+    it('returns the index when served from a hidden folder', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
         server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot' } } });
@@ -293,7 +293,7 @@ describe('handler()', function () {
         });
     });
 
-    it('returns listing when found in hidden folder', function (done) {
+    it('returns listing when served from a hidden folder', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
         server.route({ method: 'GET', path: '/{path*}', handler: { directoryTest: { path: './directory/.dot', index: false, listing: true } } });
@@ -373,6 +373,35 @@ describe('handler()', function () {
         });
     });
 
+    it('returns a 404 response when requesting a file in a hidden directory when showHidden is disabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true } } });
+
+        server.inject('/noshowhidden/.dot/index.html', function (res) {
+
+            expect(res.statusCode).to.equal(404);
+
+            server.inject('/noshowhidden/.dot/', function (res) {
+
+                expect(res.statusCode).to.equal(404);
+                done();
+            });
+        });
+    });
+
+    it('returns a 404 response when requesting a hidden directory listing when showHidden is disabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', listing: true, index: false } } });
+
+        server.inject('/noshowhidden/.dot/', function (res) {
+
+            expect(res.statusCode).to.equal(404);
+            done();
+        });
+    });
+
     it('returns a file when requesting a hidden file when showHidden is enabled', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });
@@ -385,6 +414,25 @@ describe('handler()', function () {
         });
     });
 
+    it('returns a a file when requesting a file in a hidden directory when showHidden is enabled', function (done) {
+
+        var server = provisionServer({ files: { relativeTo: __dirname } });
+        server.route({ method: 'GET', path: '/noshowhidden/{path*}', handler: { directoryTest: { path: './directory', showHidden: true, listing: true } } });
+
+        server.inject('/noshowhidden/.dot/index.html', function (res) {
+
+            expect(res.statusCode).to.equal(200);
+            expect(res.payload).to.contain('test');
+
+            server.inject('/noshowhidden/.dot/', function (res) {
+
+                expect(res.statusCode).to.equal(200);
+                expect(res.payload).to.contain('test');
+                done();
+            });
+        });
+    });
+
     it('redirects to the same path with / appended if asking for a directory', function (done) {
 
         var server = provisionServer({ files: { relativeTo: __dirname } });