Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Major security issue with version 0.1.3 #32

murvinlai opened this Issue May 10, 2012 · 9 comments


None yet
5 participants

I use gzippo@0.1.3 and I create the server like that:

 app = express.createServer(
             gzip.staticGzip(__dirname + '/public', {maxAge:5000 }),

If i go to the url like that: https://www.myself.com/../../../../../etc/rsyslog.conf or other path, I can see any system file.

If I upgrade to gzippo@0.1.4 the problem seems not there. However, I don't know if 0.1.4 solve that problem purposely or it just disappear for that version.

Please test this module carefully.


tomgco commented May 10, 2012

This was fixed in #14 and #24 and deployed in @0.1.4

When installing older versions a warn is shown displaying: npm WARN deprecated gzippo@0.1.3: critical bug fixed in v0.1.4

@tomgco tomgco closed this May 10, 2012



gilad61 commented May 28, 2012

I would like to reopen this issue, as 0.1.4 still has it.
If I go to any url with '..' in it I can navigate back through the file system and get any file.
For example - http://localhost:8000/../../someFolder/someFile.txt

In connect they have a test to make sure you don't go back in the directories hierarchy:
// malicious path
if (root && 0 != path.indexOf(root)) return utils.forbidden(res);

where 'root' is the base dir, and 'path' is the full file path of the requested file.


dcolens commented Jun 20, 2012

am still seeing this issue in 0.1.4 ...

I just found out another problem..


is another leak.

@murvinlai Same problem, gzippo doesn't check if the normalized path is under the paths it should be serving.

Also, don't run your node scripts as root - ever.


tomgco commented Jun 22, 2012

@murvinlai @wmertens What version of connect are you using and gzippo, as I cannot seem to replicate this problem. Also could you run the tests as well and let me know if anything fails?


I see that this was added:

but the gzippo version 0.1.4 I was testing at the time didn't have it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment