Skip to content

Going to a directory path without trailing slash exposes system path. #14

Closed
serby opened this Issue Dec 10, 2011 · 2 comments

2 participants

@serby
serby commented Dec 10, 2011

If you go to:

http://www.tomg.co/js

Gzippo passes the filename to the staticSend via pass() on line 159. express then does a 301 and redirect to this path.

Resulting in:

http://www.tomg.co/var/application/Tom/PersonalSite/public/js/

This is a pretty major security concern as it exposes private information about your system.

A directory check should be performed first or the url.pathname should be send to static send for the redirect.

@tomgco tomgco added a commit that referenced this issue Dec 21, 2011
@tomgco Adding test for #14 c2500ec
@tomgco tomgco added a commit that referenced this issue Dec 21, 2011
@tomgco Adding test for #14 bffc5a0
@tomgco tomgco added a commit that referenced this issue Dec 21, 2011
@tomgco Adding legacy fix and test for #14 17bacdc
@tomgco
Owner
tomgco commented Dec 21, 2011

This has now been fixed in 0.1.1 and 0.0.8

@tomgco tomgco closed this Dec 21, 2011
@serby
serby commented Feb 6, 2012

We think that this is still an issue and should be reopened

@domharrington domharrington added a commit to domharrington/gzippo that referenced this issue Feb 6, 2012
@domharrington domharrington Adding fix for #14 to ensure req.url isn't getting passed to staticSe…
…nd on error, only if directory
2016a64
@tomgco tomgco added a commit that referenced this issue Feb 6, 2012
@domharrington domharrington Adding fix for #14 to ensure req.url isn't getting passed to staticSe…
…nd on error, only if directory

Conflicts:

	lib/staticGzip.js
02db5ef
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.