Commit 464b2ebf04198512fa3e2bc5a3ab92e8e799ab93
Prevent escape base directory
cel committed on 2/17/2019, 4:33:01 PMParent: 9314ed556aff05392a2a7b5046429b1467c248bb
Files changed
index.js | changed |
index.js | |||
---|---|---|---|
@@ -59,9 +59,14 @@ | |||
59 | 59 … | return res.end() | |
60 | 60 … | } | |
61 | 61 … | try { | |
62 | 62 … | req.uri = url.parse(req.url.substr(prefix.length), true) | |
63 | - var resolved = require.resolve(path.join(dir, req.uri.pathname)) | ||
63 … | + var file = path.normalize(path.join(dir, req.uri.pathname)) | ||
64 … | + if (dir !== file.substr(0, dir.length)) { | ||
65 … | + res.writeHead(403) | ||
66 … | + return res.end('Forbidden') | ||
67 … | + } | ||
68 … | + var resolved = require.resolve(file) | ||
64 | 69 … | var prevMtime = mtimes[resolved] | |
65 | 70 … | var mtime = fs.statSync(resolved).mtime.getTime() | |
66 | 71 … | if (mtime !== prevMtime) { | |
67 | 72 … | delete require.cache[resolved] |
Built with git-ssb-web