Security issue - can go back the file system hierarchy in 0.1.4 #33

gilad61 opened this Issue May 28, 2012 · 1 comment


None yet
2 participants

gilad61 commented May 28, 2012

If I go to any url with '..' in it I can navigate back through the file system and get any file.
For example - http://localhost:8000/../../someFolder/someFile.txt

In connect they have a test to make sure you don't go back in the directories hierarchy:
// malicious path
if (root && 0 != path.indexOf(root)) return utils.forbidden(res);

where 'root' is the base dir, and 'path' is the full file path of the requested file.


@tomgco tomgco closed this Jun 20, 2012


This comment has been minimized.

Show comment Hide comment

tomgco Jun 20, 2012


Should be fixed in 0.1.6


tomgco commented Jun 20, 2012

Should be fixed in 0.1.6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment