From aac849f6ea675ac32c60d9ba62b163a81e1f112b Mon Sep 17 00:00:00 2001
From: Chad Weider <cweider@oofn.net>
Date: Tue, 14 Feb 2012 18:14:07 -0800
Subject: [PATCH] Do not allow relative paths.

---
 node/utils/Minify.js | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/node/utils/Minify.js b/node/utils/Minify.js
index 5748e1be..127b44aa 100644
--- a/node/utils/Minify.js
+++ b/node/utils/Minify.js
@@ -31,7 +31,7 @@ var RequireKernel = require('require-kernel');
 var server = require('../server');
 
 var ROOT_DIR = path.normalize(__dirname + "/../" );
-var JS_DIR = ROOT_DIR + '../static/js/';
+var JS_DIR = path.normalize(ROOT_DIR + '../static/js/');
 var CSS_DIR = ROOT_DIR + '../static/css/';
 var TAR_PATH = path.join(__dirname, 'tar.json');
 var tar = JSON.parse(fs.readFileSync(TAR_PATH, 'utf8'));
@@ -52,6 +52,17 @@ for (var key in tar) {
 exports.minifyJS = function(req, res, next)
 {
   var filename = req.params['filename'];
+
+  // No relative paths, especially if they may go up the file hierarchy.
+  filename = path.normalize(path.join(JS_DIR, filename));
+  if (filename.indexOf(JS_DIR) == 0) {
+    filename = filename.slice(JS_DIR.length);
+  } else {
+    res.writeHead(404, {});
+    res.end();
+    return; 
+  }
+
   res.header("Content-Type","text/javascript");
 
   statFile(filename, function (error, date, exists) {