diff --git a/lib/router.js b/lib/router.js
index be232b9..d8f8e30 100644
--- a/lib/router.js
+++ b/lib/router.js
@@ -351,7 +351,6 @@
resp = {
"multipart-data": []
};
- // boundary = content_type.split(/;\s+/)[1].split('=')[1].trim();
boundary = content_type.split(/;\s+/)[1];
if (boundary) {
boundary = boundary.split('=')[1];
@@ -390,10 +389,10 @@
obj.fileLen = obj.fileData.length;
}
resp['multipart-data'].push(obj);
- }
+ }
}
}
- }
+ }
return resp;
};
_bodyparser = function(body, contentType) {
@@ -731,6 +730,9 @@
dispatch["static"] = function(pathname, req, res) {
var full_path;
full_path = "" + dispatch.static_route + (unescape(pathname));
+ if (full_path.indexOf('..') !== -1) {
+ return dispatch._403(null, res, pathname, "Trying to get private things through directory traversal is a nasty thing to do.");
+ }
return fs.exists(full_path, function(exists) {
var e, error;
if (exists) {
@@ -1274,6 +1276,12 @@
}
});
};
+ dispatch._403 = function(req, res, path, message) {
+ res.writeHead(500, {
+ 'Content-Type': 'text/html'
+ });
+ return res.end("
403 - Forbidden: " + message + "
\n
Served by " + dispatch.served_by + " v" + dispatch.version + "
\n");
+ };
dispatch._405 = function(req, res, path, message) {
res.writeHead(405, {
'Content-Type': 'text/html'
diff --git a/package.json b/package.json
index 2f53da0..070cbe6 100644
--- a/package.json
+++ b/package.json
@@ -21,7 +21,7 @@
"async",
"promises"
],
- "version": "0.10.0",
+ "version": "0.10.1",
"homepage": "http://node-simple-router.herokuapp.com",
"author": "Ernesto Savoretti ",
"repository": {
diff --git a/src/router.coffee b/src/router.coffee
index 6dd7c68..a8b7d14 100644
--- a/src/router.coffee
+++ b/src/router.coffee
@@ -613,6 +613,8 @@ Router = (options = {}) ->
dispatch.static = (pathname, req, res) ->
full_path = "#{dispatch.static_route}#{unescape(pathname)}"
+ if full_path.indexOf('..') isnt -1
+ return dispatch._403(null, res, pathname, "Trying to get private things through directory traversal is a nasty thing to do.")
fs.exists full_path, (exists) ->
if exists
if ((pathname.indexOf("#{dispatch.cgi_dir}/") isnt - 1) or (pathname.match /\.php$/)) and (pathname.substr(-1) isnt "/") and (dispatch.serve_cgi is true)
@@ -1002,6 +1004,14 @@ Router = (options = {}) ->
else
res.end data
+ dispatch._403 = (req, res, path, message) ->
+ res.writeHead(500, {'Content-Type': 'text/html'})
+ res.end("""
+ 403 - Forbidden: #{message}
+
Served by #{dispatch.served_by} v#{dispatch.version}
+
+ """)
+
dispatch._405 = (req, res, path, message) ->
res.writeHead(405, {'Content-Type': 'text/html'})
res.end("""