diff options
| author | isaacs <i@izs.me> | 2010-07-31 17:55:28 -0700 |
|---|---|---|
| committer | Ryan Dahl <ry@tinyclouds.org> | 2010-08-01 20:20:17 -0700 |
| commit | 65037eeb320f33b955923ff664f46b265e7bbccb (patch) | |
| tree | 6cad2f25f015e97b123a98e99a1bbd3600aacdde /lib/path.js | |
| parent | dc8c079d904abc6d01357e70d72c9de7bacd7c1a (diff) | |
| download | android-node-v8-65037eeb320f33b955923ff664f46b265e7bbccb.tar.gz android-node-v8-65037eeb320f33b955923ff664f46b265e7bbccb.tar.bz2 android-node-v8-65037eeb320f33b955923ff664f46b265e7bbccb.zip | |
Don't let path.normalize get above the root.
Any path.join or path.normalize that starts with a / will not go "above" that after normalization. This is important because /../foo is almost *always* some sort of error, and doesn't match the corollary in sh: `cd $p; pwd`
At the worse, this can be a vector for exploits, since a static file server might do path.join(docroot, path.normalize("/"+req)) to get the file. If the normalized request path could be something like "/../../../etc/passwd" then bad things could happen.
Diffstat (limited to 'lib/path.js')
| -rw-r--r-- | lib/path.js | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/lib/path.js b/lib/path.js index 60c7850d45..6238625680 100644 --- a/lib/path.js +++ b/lib/path.js @@ -14,6 +14,10 @@ exports.normalizeArray = function (parts, keepBlanks) { // if it's a dot, and there was some previous dir already, then skip it. if (directory === "." && prev !== undefined) continue; + // if it starts with "", and is a . or .., then skip it. + if (directories.length === 1 && directories[0] === "" && ( + directory === "." || directory === "..")) continue; + if ( directory === ".." && directories.length |