fuwafuwa
/
etherpad-lite
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not allow relative paths.

This commit is contained in:
Chad Weider 2012-02-14 18:14:07 -08:00
parent 494ca0560b
commit aac849f6ea
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
node/utils/Minify.js
View File

@ -31,7 +31,7 @@ var RequireKernel = require('require-kernel');
var server = require('../server'); var server = require('../server');
var ROOT_DIR = path.normalize(__dirname + "/../" ); var ROOT_DIR = path.normalize(__dirname + "/../" );
var JS_DIR = ROOT_DIR + '../static/js/'; var JS_DIR = path.normalize(ROOT_DIR + '../static/js/');
var CSS_DIR = ROOT_DIR + '../static/css/'; var CSS_DIR = ROOT_DIR + '../static/css/';
var TAR_PATH = path.join(__dirname, 'tar.json'); var TAR_PATH = path.join(__dirname, 'tar.json');
var tar = JSON.parse(fs.readFileSync(TAR_PATH, 'utf8')); var tar = JSON.parse(fs.readFileSync(TAR_PATH, 'utf8'));
@ -52,6 +52,17 @@ for (var key in tar) {
exports.minifyJS = function(req, res, next) exports.minifyJS = function(req, res, next)
{ {
var filename = req.params['filename']; var filename = req.params['filename'];
// No relative paths, especially if they may go up the file hierarchy.
filename = path.normalize(path.join(JS_DIR, filename));
if (filename.indexOf(JS_DIR) == 0) {
filename = filename.slice(JS_DIR.length);
} else {
res.writeHead(404, {});
res.end();
return;
}
res.header("Content-Type","text/javascript"); res.header("Content-Type","text/javascript");
statFile(filename, function (error, date, exists) { statFile(filename, function (error, date, exists) {