Skip to content
Browse files

Merge pull request #480 from aheckmann/malformedURI

malformedURIs return 400
  • Loading branch information...
2 parents 480e6bb + 9a20b6c commit d93927170ccd4718bba7b5b1546b987dc50e65cd @tj tj committed
Showing with 30 additions and 2 deletions.
  1. +21 −1 lib/middleware/static.js
  2. +9 −1 test/static.js
View
22 lib/middleware/static.js
@@ -70,6 +70,24 @@ exports = module.exports = function static(root, options){
exports.mime = mime;
/**
+ * decodeURIComponent.
+ *
+ * Allows V8 to only deoptimize this fn instead of all
+ * of send().
+ *
+ * @param {String} path
+ * @api private
+ */
+
+function decode(path){
+ try {
+ return decodeURIComponent(path);
+ } catch (err) {
+ return err;
+ }
+}
+
+/**
* Attempt to tranfer the requested file to `res`.
*
* @param {ServerRequest}
@@ -103,9 +121,11 @@ var send = exports.send = function(req, res, next, options){
// parse url
var url = parse(options.path)
- , path = decodeURIComponent(url.pathname)
+ , path = decode(url.pathname)
, type;
+ if ('URIError: URI malformed' == path) return next(utils.error(400));
+
// null byte(s)
if (~path.indexOf('\0')) return next(utils.error(400));
View
10 test/static.js
@@ -169,6 +169,14 @@ describe('connect.static()', function(){
})
})
+ describe('malformedURIs', function(){
+ it('should respond with 400', function(done){
+ app.request()
+ .get('/%')
+ .expect(400, done)
+ });
+ })
+
// TODO: node bug
// describe('on ENAMETOOLONG', function(){
// it('should next()', function(done){
@@ -179,4 +187,4 @@ describe('connect.static()', function(){
// .expect(404, done);
// })
// })
-})
+})

0 comments on commit d939271

Please sign in to comment.
Something went wrong with that request. Please try again.