Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Going to a directory path without trailing slash exposes system path. #14

Closed
serby opened this Issue · 2 comments

2 participants

@serby

If you go to:

http://www.tomg.co/js

Gzippo passes the filename to the staticSend via pass() on line 159. express then does a 301 and redirect to this path.

Resulting in:

http://www.tomg.co/var/application/Tom/PersonalSite/public/js/

This is a pretty major security concern as it exposes private information about your system.

A directory check should be performed first or the url.pathname should be send to static send for the redirect.

@tomgco tomgco referenced this issue from a commit
@tomgco Adding test for #14 c2500ec
@tomgco tomgco referenced this issue from a commit
@tomgco Adding test for #14 bffc5a0
@tomgco
Owner

This has now been fixed in 0.1.1 and 0.0.8

@tomgco tomgco closed this
@serby

We think that this is still an issue and should be reopened

@domharrington domharrington referenced this issue from a commit in domharrington/gzippo
@domharrington domharrington Adding fix for #14 to ensure req.url isn't getting passed to staticSe…
…nd on error, only if directory
2016a64
@tomgco tomgco referenced this issue from a commit
@domharrington domharrington Adding fix for #14 to ensure req.url isn't getting passed to staticSe…
…nd on error, only if directory

Conflicts:

	lib/staticGzip.js
02db5ef
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.