Fixed static() trailing backslash DoS vector. Closes #452

senchalabs · Jan 7, 2012 · 2b0e8d6 · 2b0e8d6
1 parent a02c338
commit 2b0e8d6
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 6 deletions.
diff --git a/lib/middleware/limit.js b/lib/middleware/limit.js
@@ -31,11 +31,6 @@ module.exports = function limit(bytes){
         ? parseInt(req.headers['content-length'], 10)
         : null;
 
-    // deny the request
-    function deny() {
-      req.destroy();
-    }
-
     // self-awareness
     if (req._limit) return next();
     req._limit = true;
@@ -46,7 +41,7 @@ module.exports = function limit(bytes){
     // limit
     req.on('data', function(chunk){
       received += chunk.length;
-      if (received > bytes) deny();
+      if (received > bytes) req.destroy();
     });
 
     next();

diff --git a/lib/middleware/static.js b/lib/middleware/static.js
@@ -198,7 +198,16 @@ var send = exports.send = function(req, res, next, options){
       function callback(err) { done || fn(err); done = true }
       req.on('close', callback);
       req.socket.on('error', callback);
+      stream.on('error', callback);
       stream.on('end', callback);
+    } else {
+      stream.on('error', function(err){
+        if (res.headerSent) {
+          console.error(err.stack);
+        } else {
+          next(err);
+        }
+      });
     }
   });
 };
diff --git a/test/static.js b/test/static.js
@@ -161,6 +161,14 @@ describe('connect.static()', function(){
     })
   })
 
+  describe('when a trailing backslash is given', function(){
+    it('should 500', function(done){
+      app.request()
+      .get('/todo.txt\\')
+      .expect(500, done);
+    })
+  })
+
   // TODO: node bug
   // describe('on ENAMETOOLONG', function(){
   //   it('should next()', function(done){