Permalink
Browse files

prevent relative paths from giving access to files outside of /static

  • Loading branch information...
1 parent 8483885 commit 4f467f2aff4582480939808c79f46a426ea67822 @olegp committed Oct 20, 2011
Showing with 5 additions and 4 deletions.
  1. +5 −4 index.js
View
@@ -3,6 +3,7 @@ var markdown = require('github-flavored-markdown').parse;
var mustache = require('mustache').to_html;
var PAGES = './pages', TEMPLATES = './templates', STATIC = './static', SEPARATOR = '|';
+var ABSOLUTE_STATIC = fs.absolute(STATIC);
var MIME_TYPES = {
".css": "text/css",
@@ -63,9 +64,9 @@ fs.listTree(TEMPLATES).splice(1).forEach(function(file) {
exports.app = function(request) {
var uri = request.pathInfo.substr(1);
if(!uri.indexOf('static')) {
- // TODO remove .. and the likes
- var file = fs.join(STATIC, uri.substr('static'.length + 1));
- if(fs.exists(file)) {
+ var file = fs.absolute(fs.join(ABSOLUTE_STATIC, uri
+ .substr('static'.length + 1)));
+ if(!file.indexOf(ABSOLUTE_STATIC) && fs.exists(file)) {
return {
status: 200,
'Content-Type': MIME_TYPES[fs.extension(file)],
@@ -89,7 +90,7 @@ exports.app = function(request) {
|| templates['index'];
// TODO inject templates as well -- or separate them out into "partials"?
page.body = mustache(template, {
- //TODO deal with case when title == 'index'
+ // TODO deal with case when title == 'index'
title: page.title,
body: markdown(md)
});

0 comments on commit 4f467f2

Please sign in to comment.