Skip to content
This repository
Browse code

res.sendfile() responding with 403 on malicious path

  • Loading branch information...
commit 177a724d588653c4e52c7be198d597ea341d5602 1 parent 949803d
TJ Holowaychuk authored
5 docs/guide.md
Source Rendered
@@ -452,11 +452,6 @@ Used by `res.download()` to transfer an arbitrary file.
452 452
453 453 res.sendfile('path/to/my.file');
454 454
455   -This is _not_ a substitution for Connect's _staticProvider_ middleware, it does not
456   -support HTTP caching, and does not perform any security checks. This method is utilized
457   -by _res.download()_ to transfer static files, and allows you do to so from outside of
458   -the public directory, so suitable security checks should be applied.
459   -
460 455 This method accepts a callback which when given will be called on an exception, as well as when the transfer has completed. When a callback is not given, and the file has __not__ been streamed, _next(err)_ will be called on an exception.
461 456
462 457 res.sendfile(path, function(err, path){
2  lib/express/response.js
@@ -134,6 +134,8 @@ http.ServerResponse.prototype.sendfile = function(path, fn){
134 134 var self = this,
135 135 streamThreshold = this.app.set('stream threshold') || 32 * 1024;
136 136
  137 + if (~path.indexOf('..')) this.send(403);
  138 +
137 139 function error(err) {
138 140 delete self.headers['Content-Disposition'];
139 141 if (fn) {
5 test/response.test.js
@@ -197,7 +197,10 @@ module.exports = {
197 197 });
198 198
199 199 app.use(express.errorHandler());
200   -
  200 +
  201 + assert.response(app,
  202 + { url: '/../express.test.js' },
  203 + { body: 'Forbidden', status: 403 });
201 204 assert.response(app,
202 205 { url: '/user.json' },
203 206 { body: '{"name":"tj"}', status: 200, headers: { 'Content-Type': 'application/json' }});

0 comments on commit 177a724

Please sign in to comment.
Something went wrong with that request. Please try again.