Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add security notice re 0.2.5

  • Loading branch information...
commit b33fa76ce3c7cbf712683e4b51c743f73032297c 1 parent 944c75b
@isaacs authored
Showing with 14 additions and 0 deletions.
  1. +14 −0
@@ -234,3 +234,17 @@ object before passing it to the mount function.
This is useful if you want to get the benefits of caching and gzipping
and such, but serve stylus files as css, for example.
+## Security Status
+Versions prior to 0.2.5 did not properly prevent folder traversal.
+Literal dots in a path were resolved out, but url encoded dots were
+not. Thus, a request like
+`/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd` would leak sensitive
+data from the server.
+As of version 0.2.5, any `'/../'` in the request path, urlencoded or
+not, will be replaced with `'/'`. If your application depends on url
+traversal, then you are encouraged to please refactor so that you do
+not depend on having `..` in url paths, as this tends to expose data
+that you may be surprised to be exposing.
Please sign in to comment.
Something went wrong with that request. Please try again.