revert to old path handling, but strip out "..". fixes #2614

author: Tom Hunkapiller <tom@furycodes.com> 2015-04-15 14:30:53 -0500
committer: Tom Hunkapiller <tom@furycodes.com> 2015-04-15 14:31:21 -0500
commit: 6ff7d4e9a6f86d7a544adb029de5df9afc48b4c6 (patch)
tree: e663a1b870882324fdc1abd6f327b249957e08fb /src/node/utils
parent: 1fbf0db650aea721e25a1a89859b7d45cc704c07 (diff)
download: etherpad-lite-6ff7d4e9a6f86d7a544adb029de5df9afc48b4c6.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/src/node/utils/Minify.js b/src/node/utils/Minify.js
index 3b0be38c..ee8f5f45 100644
--- a/src/node/utils/Minify.js
+++ b/src/node/utils/Minify.js
@@ -143,8 +143,11 @@ function minify(req, res, next)
 
   // No relative paths, especially if they may go up the file hierarchy.
   filename = path.normalize(path.join(ROOT_DIR, filename));
+  filename = filename.replace(/\.\./g, '')
+
   if (filename.indexOf(ROOT_DIR) == 0) {
     filename = filename.slice(ROOT_DIR.length);
+    filename = filename.replace(/\\/g, '/')
   } else {
     res.writeHead(404, {});
     res.end();
@@ -165,6 +168,7 @@ function minify(req, res, next)
       var plugin = plugins.plugins[library];
       var pluginPath = plugin.package.realPath;
       filename = path.relative(ROOT_DIR, pluginPath + libraryPath);
+      filename = filename.replace(/\\/g, '/'); // windows path fix
     } else if (LIBRARY_WHITELIST.indexOf(library) != -1) {
       // Go straight into node_modules
       // Avoid `require.resolve()`, since 'mustache' and 'mustache/index.js'
author	Tom Hunkapiller <tom@furycodes.com>	2015-04-15 14:30:53 -0500
committer	Tom Hunkapiller <tom@furycodes.com>	2015-04-15 14:31:21 -0500
commit	6ff7d4e9a6f86d7a544adb029de5df9afc48b4c6 (patch)
tree	e663a1b870882324fdc1abd6f327b249957e08fb /src/node/utils
parent	1fbf0db650aea721e25a1a89859b7d45cc704c07 (diff)
download	etherpad-lite-6ff7d4e9a6f86d7a544adb029de5df9afc48b4c6.zip