fix an issue in the path handling that allowed directory traversal

author: Tom Hunkapiller <tom@furycodes.com> 2015-04-10 19:25:52 -0500
committer: Tom Hunkapiller <tom@furycodes.com> 2015-04-10 20:03:00 -0500
commit: 3ebb19d8a2964abe4c21700a4208b1a66f39eb85 (patch)
tree: 6db50f775595790411d9de151b7b01c0bbdb38ea /src/node/hooks
parent: be0a96af6e0529e3a8a08526d154f515c869c892 (diff)
download: etherpad-lite-3ebb19d8a2964abe4c21700a4208b1a66f39eb85.zip
1 files changed, 6 insertions, 2 deletions
diff --git a/src/node/hooks/express/tests.js b/src/node/hooks/express/tests.js
index fcd81381..f3d721a9 100644
--- a/src/node/hooks/express/tests.js
+++ b/src/node/hooks/express/tests.js
@@ -23,6 +23,7 @@ exports.expressCreateServer = function (hook_name, args, cb) {
 
   });
 
+  var rootTestFolder = path.join(npm.root, "..", "/tests/frontend/");
   var url2FilePath = function(url){
     var subPath = url.substr("/tests/frontend".length);
     if (subPath == ""){
@@ -30,8 +31,11 @@ exports.expressCreateServer = function (hook_name, args, cb) {
     }
     subPath = subPath.split("?")[0];
 
-    var filePath = path.normalize(npm.root + "/../tests/frontend/")
-    filePath += subPath.replace("..", "");
+    var filePath = path.normalize(path.join(rootTestFolder, subPath));
+    // make sure we jail the paths to the test folder, otherwise serve index
+    if (filePath.indexOf(rootTestFolder) !== 0) {
+      filePath = path.normalize(path.join(rootTestFolder, "index.html"));
+    }
     return filePath;
   }
author	Tom Hunkapiller <tom@furycodes.com>	2015-04-10 19:25:52 -0500
committer	Tom Hunkapiller <tom@furycodes.com>	2015-04-10 20:03:00 -0500
commit	3ebb19d8a2964abe4c21700a4208b1a66f39eb85 (patch)
tree	6db50f775595790411d9de151b7b01c0bbdb38ea /src/node/hooks
parent	be0a96af6e0529e3a8a08526d154f515c869c892 (diff)
download	etherpad-lite-3ebb19d8a2964abe4c21700a4208b1a66f39eb85.zip