Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Fixed parent directory access hole.

The parent directory regex was not strict enough.
Added unit test.
  • Loading branch information...
commit a400cff4c3ee8dfad58b7803b3d8d172de6373c2 1 parent 288afdd
Peter Sanford psanford authored
Showing with 19 additions and 1 deletion.
  1. +1 −1  lib/antinode.js
  2. +18 −0 tests/test-path-security.js
2  lib/antinode.js
View
@@ -87,7 +87,7 @@ function map_request_to_local_file(req, resp) {
//if the parsed url doesn't have a pathname, default to '/'
var pathname = (url.pathname || '/');
var clean_pathname = pathname.
- replace(/\.\.\//g,''). //disallow parent directory access
+ replace(/\.\.\.*\/\/*/g,''). //disallow parent directory access
replace(/\%20/g,' '); //convert spaces
function select_vhost() {
18 tests/test-path-security.js
View
@@ -0,0 +1,18 @@
+require('./common');
+
+exports["don't allow access to files outside of basedir"] = function (test) {
+ antinode.start(settings, function() {
+ test_http(test, {
+ 'method':'GET',
+ 'pathname':'/....//scripthost.js',
+ 'headers': { 'host' : 'default-host' }
+ }, {
+ 'statusCode': 404,
+ 'body':''
+ },
+ function () {
+ antinode.stop();
+ test.done();
+ });
+ });
+};
Please sign in to comment.
Something went wrong with that request. Please try again.