Skip to content

Commit

Permalink
Fixed path traversal vulnerability.
Browse files Browse the repository at this point in the history
  • Loading branch information
petersirka committed Dec 13, 2019
1 parent b13b7fc commit fa6a0d7
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
1 change: 1 addition & 0 deletions changes.txt
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
- fixed: `(random)` subtype in `config` files
- fixed: `(response)` phrase in `ROUTE()` for multiple `OPERATIONS`
- fixed: a response in `ROUTE()` with mulitple operations if the result contained some error
- fixed: a security bug with a path traversal vulnerability

- improved: `LOGMAIL()` mail format

Expand Down
8 changes: 6 additions & 2 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -8087,6 +8087,9 @@ function makeproxycallback(response) {
response.pipe(this.$res, PROXYOPTIONS);
}


const TRAVELCHARS = { e: 1, E: 1 };

/**
* Continue to process
* @private
Expand All @@ -8111,10 +8114,10 @@ F.$requestcontinue = function(req, res, headers) {
if (!tmp) {
// Stops path travelsation outside of "public" directory
// A potential security issue
for (var i = 0; i < req.uri.pathname.length; i++) {
for (var i = 0; i < req.uri.pathname.length - 1; i++) {
var c = req.uri.pathname[i];
var n = req.uri.pathname[i + 1];
if ((c === '.' && (n === '/' || n === '%')) || (c === '%' && n === '2' && req.uri.pathname[i + 2] === 'e')) {
if ((c === '.' && (n === '/' || n === '%')) || (c === '%' && n === '2' && TRAVELCHARS[req.uri.pathname[i + 2]])) {
F.temporary.shortcache[req.uri.pathname] = 2;
req.$total_status(404);
return;
Expand All @@ -8127,6 +8130,7 @@ F.$requestcontinue = function(req, res, headers) {
}

F.stats.request.file++;

if (F._length_files)
req.$total_file();
else
Expand Down

0 comments on commit fa6a0d7

Please sign in to comment.