Security issue - can go back the file system hierarchy in 0.1.4 #33

Closed
gilad61 opened this Issue May 28, 2012 · 1 comment

Comments

Projects
None yet
2 participants
@gilad61
Contributor

gilad61 commented May 28, 2012

If I go to any url with '..' in it I can navigate back through the file system and get any file.
For example - http://localhost:8000/../../someFolder/someFile.txt

In connect they have a test to make sure you don't go back in the directories hierarchy:
// malicious path
if (root && 0 != path.indexOf(root)) return utils.forbidden(res);

where 'root' is the base dir, and 'path' is the full file path of the requested file.

Thanks!

@tomgco tomgco closed this Jun 20, 2012

@tomgco

This comment has been minimized.

Show comment Hide comment
@tomgco

tomgco Jun 20, 2012

Owner

Should be fixed in 0.1.6

Owner

tomgco commented Jun 20, 2012

Should be fixed in 0.1.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment