Fix root path disclosure

fixxes #70

History.md

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix `root` path disclosure
+
 0.11.0 / 2015-01-05
 ===================
 

index.js

@@ -415,16 +415,16 @@ SendStream.prototype.pipe = function(res){
 
   var parts
   if (root !== null) {
-    // join / normalize from optional root dir
-    path = normalize(join(root, path))
-    root = normalize(root + sep)
-
     // malicious path
-    if ((path + sep).substr(0, root.length) !== root) {
+    if (upPathRegexp.test(normalize('.' + sep + path))) {
       debug('malicious path "%s"', path)
       return this.error(403)
     }
 
+    // join / normalize from optional root dir
+    path = normalize(join(root, path))
+    root = normalize(root + sep)
+
     // explode path parts
     parts = path.substr(root.length).split(sep)
   } else {

test/send.js

@@ -1170,6 +1170,17 @@ describe('send(file, options)', function(){
         .get('/../name.dir/name.txt')
         .expect(403, done)
       })
+
+      it('should not allow root path disclosure', function(done){
+        var app = http.createServer(function(req, res){
+          send(req, req.url, {root: __dirname + '/fixtures'})
+          .pipe(res);
+        });
+
+        request(app)
+        .get('/pets/../../fixtures/name.txt')
+        .expect(403, done)
+      })
     })
 
     describe('when missing', function(){