fuwafuwa
/
etherpad-lite
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix directory traversal 

See https://ada.adrianlang.de/etherpad-lite-directory-traversal
This commit is contained in:
Adrian Lang 2011-09-01 23:24:51 +02:00
parent 7e4bba0e31
commit 86d3b2ba81
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
node/server.js
View File

@ -99,7 +99,8 @@ async.waterfall([
app.get('/static/*', function(req, res) app.get('/static/*', function(req, res)
{ {
res.header("Server", serverName); res.header("Server", serverName);
var filePath = path.normalize(__dirname + "/.." + req.url.split("?")[0]); var filePath = path.normalize(__dirname + "/.." +
req.url.replace(/\./g, '').split("?")[0]);
res.sendfile(filePath, { maxAge: exports.maxAge }); res.sendfile(filePath, { maxAge: exports.maxAge });
}); });