Permalink
Browse files

MappedDirectoryHandler: explicitly disallow files outside document root

  • Loading branch information...
timbertson committed Jun 29, 2014
1 parent f517eaf commit ebe1e2ef788b88470fb1b51ad68a9e77dbb236b0
Showing with 9 additions and 0 deletions.
  1. +9 −0 modules/server/file-server.sjs
@@ -27,6 +27,8 @@ var { StaticFormatMap } = require('./formats');
var { setStatus, writeRedirectResponse, HttpError, NotFound } = require('./response');
var lruCache = require('sjs:lru-cache');
var Forbidden = -> HttpError(403, 'Forbidden', 'Invalid Path' );
function checkEtag(t) {
if (!isString(t)) throw new Error("non-string etag: #{t}");
return t;
@@ -325,6 +327,8 @@ exports.MappedDirectoryHandler = function(root, settings) {
// ExecutableDirectory and CodeDirectory will selectively enable more dynamic
// (and less safe) behaviour.
root = path.normalize(root);
settings = { mapIndexToDir: true,
allowDirListing: true,
allowGenerators: false,
@@ -347,6 +351,11 @@ exports.MappedDirectoryHandler = function(root, settings) {
var file = relativePath ? path.join(root, relativePath) : root;
if (file.indexOf(root) !== 0) {
throw Forbidden();
}
if (process.platform == 'win32')
file = file.replace(/\\/g, '/');

0 comments on commit ebe1e2e

Please sign in to comment.