Permalink
Browse files

Fixed parent directory access hole.

The parent directory regex was not strict enough.
Added unit test.
  • Loading branch information...
1 parent 288afdd commit a400cff4c3ee8dfad58b7803b3d8d172de6373c2 @psanford psanford committed Sep 20, 2010
Showing with 19 additions and 1 deletion.
  1. +1 −1 lib/antinode.js
  2. +18 −0 tests/test-path-security.js
View
@@ -87,7 +87,7 @@ function map_request_to_local_file(req, resp) {
//if the parsed url doesn't have a pathname, default to '/'
var pathname = (url.pathname || '/');
var clean_pathname = pathname.
- replace(/\.\.\//g,''). //disallow parent directory access
+ replace(/\.\.\.*\/\/*/g,''). //disallow parent directory access
replace(/\%20/g,' '); //convert spaces
function select_vhost() {
@@ -0,0 +1,18 @@
+require('./common');
+
+exports["don't allow access to files outside of basedir"] = function (test) {
+ antinode.start(settings, function() {
+ test_http(test, {
+ 'method':'GET',
+ 'pathname':'/....//scripthost.js',
+ 'headers': { 'host' : 'default-host' }
+ }, {
+ 'statusCode': 404,
+ 'body':''
+ },
+ function () {
+ antinode.stop();
+ test.done();
+ });
+ });
+};

0 comments on commit a400cff

Please sign in to comment.