From 3f1bacd7cfda6556f35563f3e79c60c62aa9d286 Mon Sep 17 00:00:00 2001 From: Jumpei Ogawa Date: Tue, 28 Jul 2015 03:02:10 +0900 Subject: [PATCH 1/3] Prevent directory traversal for static file --- lib/app/index.js | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/app/index.js b/lib/app/index.js index 856fa730..148813fe 100644 --- a/lib/app/index.js +++ b/lib/app/index.js @@ -176,7 +176,14 @@ var App = function () { // Get the path to the file, decoding the request URI - staticPath = this.config.staticFilePath + decodeURIComponent(reqUrl); + staticPath = path.resolve(path.join(this.config.staticFilePath, decodeURIComponent(reqUrl))); + + // Prevent directory traversal + if (staticPath.indexOf(this.config.staticFilePath) !== 0) { + this.handleNotFound(reqUrl, params, reqObj, respObj); + return; + } + // Ignore querystring staticPath = staticPath.split('?')[0]; From 4c3e083e8490cc54955eabd0bb5531a963845a3a Mon Sep 17 00:00:00 2001 From: Jumpei Ogawa Date: Tue, 28 Jul 2015 03:02:55 +0900 Subject: [PATCH 2/3] Version 13.0.8 --- package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package.json b/package.json index 15952f23..60282d95 100644 --- a/package.json +++ b/package.json @@ -8,7 +8,7 @@ "MVC", "realtime" ], - "version": "13.0.7", + "version": "13.0.8", "author": "Matthew Eernisse (http://fleegix.org)", "dependencies": { "barista": "0.2.x", @@ -43,4 +43,4 @@ "engines": { "node": "*" } -} \ No newline at end of file +} From c0e2ab95c2b7cae557f88aa584e8de760df5479a Mon Sep 17 00:00:00 2001 From: Jumpei Ogawa Date: Tue, 28 Jul 2015 03:35:00 +0900 Subject: [PATCH 3/3] Test on 0.12 and io.js too --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 33330787..261d01f7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,8 @@ language: node_js node_js: + - "0.12" - "0.10" + - "iojs" before_install: - npm update -g npm