diff options
author | Tom Hunkapiller <tom@furycodes.com> | 2015-04-10 19:25:52 -0500 |
---|---|---|
committer | John McLear <john@mclear.co.uk> | 2015-04-11 09:05:32 +0100 |
commit | 5409eb314c4e072b9760b8d30b985fa0bb96a006 (patch) | |
tree | 3a6c3bcc47820392b9774ed79f5f8cae54daed62 /src/node | |
parent | b95395a13094bd002f9ac4a1b23596d8ad14b71f (diff) | |
download | etherpad-lite-5409eb314c4e072b9760b8d30b985fa0bb96a006.zip |
fix an issue in the path handling that allowed directory traversal
Diffstat (limited to 'src/node')
-rw-r--r-- | src/node/hooks/express/tests.js | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/node/hooks/express/tests.js b/src/node/hooks/express/tests.js index 3157d68e..dfe02c2a 100644 --- a/src/node/hooks/express/tests.js +++ b/src/node/hooks/express/tests.js @@ -23,6 +23,7 @@ exports.expressCreateServer = function (hook_name, args, cb) { }); + var rootTestFolder = path.join(npm.root, "..", "/tests/frontend/"); var url2FilePath = function(url){ var subPath = url.substr("/tests/frontend".length); if (subPath == ""){ @@ -30,8 +31,11 @@ exports.expressCreateServer = function (hook_name, args, cb) { } subPath = subPath.split("?")[0]; - var filePath = path.normalize(npm.root + "/../tests/frontend/") - filePath += subPath.replace("..", ""); + var filePath = path.normalize(path.join(rootTestFolder, subPath)); + // make sure we jail the paths to the test folder, otherwise serve index + if (filePath.indexOf(rootTestFolder) !== 0) { + filePath = path.normalize(path.join(rootTestFolder, "index.html")); + } return filePath; } |