Permalink
Browse files

res.sendfile() responding with 403 on malicious path

  • Loading branch information...
1 parent 949803d commit 177a724d588653c4e52c7be198d597ea341d5602 @tj tj committed Sep 20, 2010
Showing with 6 additions and 6 deletions.
  1. +0 −5 docs/guide.md
  2. +2 −0 lib/express/response.js
  3. +4 −1 test/response.test.js
View
@@ -452,11 +452,6 @@ Used by `res.download()` to transfer an arbitrary file.
res.sendfile('path/to/my.file');
-This is _not_ a substitution for Connect's _staticProvider_ middleware, it does not
-support HTTP caching, and does not perform any security checks. This method is utilized
-by _res.download()_ to transfer static files, and allows you do to so from outside of
-the public directory, so suitable security checks should be applied.
-
This method accepts a callback which when given will be called on an exception, as well as when the transfer has completed. When a callback is not given, and the file has __not__ been streamed, _next(err)_ will be called on an exception.
res.sendfile(path, function(err, path){
@@ -134,6 +134,8 @@ http.ServerResponse.prototype.sendfile = function(path, fn){
var self = this,
streamThreshold = this.app.set('stream threshold') || 32 * 1024;
+ if (~path.indexOf('..')) this.send(403);
+
function error(err) {
delete self.headers['Content-Disposition'];
if (fn) {
@@ -197,7 +197,10 @@ module.exports = {
});
app.use(express.errorHandler());
-
+
+ assert.response(app,
+ { url: '/../express.test.js' },
+ { body: 'Forbidden', status: 403 });
assert.response(app,
{ url: '/user.json' },
{ body: '{"name":"tj"}', status: 200, headers: { 'Content-Type': 'application/json' }});

0 comments on commit 177a724

Please sign in to comment.