Skip to content
Permalink
Browse files Browse the repository at this point in the history
Remove stripping of null bytes
This was at one point necessary because of an old bug in url.parse

See: #16 (comment)
See: 43f7e72

But this opens up a regex dos attack vector! D:

Based on some research (ie asking #node-dev if this is still an issue),
it's *probably* not an issue. :)
  • Loading branch information
jfhbrook committed Aug 9, 2016
1 parent 2fceb40 commit 71ce939
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions lib/ecstatic.js
Expand Up @@ -52,9 +52,21 @@ var ecstatic = module.exports = function (dir, options) {
return function middleware (req, res, next) {

// Strip any null bytes from the url
// This was at one point necessary because of an old bug in url.parse
//
// See: https://github.com/jfhbrook/node-ecstatic/issues/16#issuecomment-3039914
// See: https://github.com/jfhbrook/node-ecstatic/commit/43f7e72a31524f88f47e367c3cc3af710e67c9f4
//
// But this opens up a regex dos attack vector! D:
//
// Based on some research (ie asking #node-dev if this is still an issue),
// it's *probably* not an issue. :)
/*
while(req.url.indexOf('%00') !== -1) {
req.url = req.url.replace(/\%00/g, '');
}
*/

// Figure out the path for the file from the given url
var parsed = url.parse(req.url);
try {
Expand Down

0 comments on commit 71ce939

Please sign in to comment.