From 65037eeb320f33b955923ff664f46b265e7bbccb Mon Sep 17 00:00:00 2001 From: isaacs Date: Sat, 31 Jul 2010 17:55:28 -0700 Subject: [PATCH] Don't let path.normalize get above the root. Any path.join or path.normalize that starts with a / will not go "above" that after normalization. This is important because /../foo is almost *always* some sort of error, and doesn't match the corollary in sh: `cd $p; pwd` At the worse, this can be a vector for exploits, since a static file server might do path.join(docroot, path.normalize("/"+req)) to get the file. If the normalized request path could be something like "/../../../etc/passwd" then bad things could happen. --- lib/path.js | 4 ++++ test/simple/test-path.js | 2 ++ 2 files changed, 6 insertions(+) diff --git a/lib/path.js b/lib/path.js index 60c7850d453..6238625680b 100644 --- a/lib/path.js +++ b/lib/path.js @@ -14,6 +14,10 @@ exports.normalizeArray = function (parts, keepBlanks) { // if it's a dot, and there was some previous dir already, then skip it. if (directory === "." && prev !== undefined) continue; + // if it starts with "", and is a . or .., then skip it. + if (directories.length === 1 && directories[0] === "" && ( + directory === "." || directory === "..")) continue; + if ( directory === ".." && directories.length diff --git a/test/simple/test-path.js b/test/simple/test-path.js index 7b16f9627a3..6570732ab32 100644 --- a/test/simple/test-path.js +++ b/test/simple/test-path.js @@ -38,9 +38,11 @@ assert.equal(path.extname("file.ext.ext"), ".ext"); assert.equal(path.extname("file."), "."); assert.equal(path.join(".", "fixtures/b", "..", "/b/c.js"), "fixtures/b/c.js"); +assert.equal(path.join("/foo", "../../../bar"), "/bar"); assert.equal(path.normalize("./fixtures///b/../b/c.js"), "fixtures/b/c.js"); assert.equal(path.normalize("./fixtures///b/../b/c.js",true), "fixtures///b/c.js"); +assert.equal(path.normalize("/foo/../../../bar"), "/bar"); assert.deepEqual(path.normalizeArray(["fixtures","b","","..","b","c.js"]), ["fixtures","b","c.js"]); assert.deepEqual(path.normalizeArray(["fixtures","","b","..","b","c.js"], true), ["fixtures","","b","c.js"]);