Skip to content

Commit 9c6ca9b

Browse files
committed
Fix a path traversal issue when using root
fixes #59 fixes #60
1 parent 463d1c9 commit 9c6ca9b

File tree

4 files changed

+30
-2
lines changed

4 files changed

+30
-2
lines changed

Diff for: History.md

+5
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
unreleased
2+
==========
3+
4+
* Fix a path traversal issue when using `root`
5+
16
0.8.3 / 2014-08-16
27
==================
38

Diff for: lib/send.js

+2-2
Original file line numberDiff line numberDiff line change
@@ -412,7 +412,7 @@ SendStream.prototype.pipe = function(res){
412412
if (root !== null) {
413413
// join / normalize from optional root dir
414414
path = normalize(join(root, path))
415-
root = normalize(root)
415+
root = normalize(root + sep)
416416

417417
// malicious path
418418
if (path.substr(0, root.length) !== root) {
@@ -421,7 +421,7 @@ SendStream.prototype.pipe = function(res){
421421
}
422422

423423
// explode path parts
424-
parts = path.substr(root.length + 1).split(sep)
424+
parts = path.substr(root.length).split(sep)
425425
} else {
426426
// ".." is malicious without "root"
427427
if (upPathRegexp.test(path)) {

Diff for: test/fixtures/name.d/name.txt

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
loki

Diff for: test/send.js

+22
Original file line numberDiff line numberDiff line change
@@ -1097,6 +1097,17 @@ describe('send(file, options)', function(){
10971097
.expect(200, 'tobi', done)
10981098
})
10991099

1100+
it('should with with trailing slash', function(done){
1101+
var app = http.createServer(function(req, res){
1102+
send(req, req.url, {root: __dirname + '/fixtures/'})
1103+
.pipe(res);
1104+
});
1105+
1106+
request(app)
1107+
.get('/name.txt')
1108+
.expect(200, 'tobi', done)
1109+
})
1110+
11001111
it('should restrict paths to within root', function(done){
11011112
var app = http.createServer(function(req, res){
11021113
send(req, req.url, {root: __dirname + '/fixtures'})
@@ -1118,6 +1129,17 @@ describe('send(file, options)', function(){
11181129
.get('/pets/../../send.js')
11191130
.expect(403, done)
11201131
})
1132+
1133+
it('should not allow root transversal', function(done){
1134+
var app = http.createServer(function(req, res){
1135+
send(req, req.url, {root: __dirname + '/fixtures/name.d'})
1136+
.pipe(res);
1137+
});
1138+
1139+
request(app)
1140+
.get('/../name.dir/name.txt')
1141+
.expect(403, done)
1142+
})
11211143
})
11221144

11231145
describe('when missing', function(){

0 commit comments

Comments
 (0)