node-http-server
| /src/handler.js |
|---|
| @@ -12,11 +12,13 @@ |
| // Checks whether userPath is a child of rootPath. |
| function isRooted(userPath, rootPath, separator, callback) { |
| process.nextTick(() => { |
| userPath = userPath.split(separator).filter(Boolean); |
| fs.realpath(userPath, (error, resolved) => { |
| if (error) |
| return false; |
| resolved = resolved.split(separator).filter(Boolean); |
| rootPath = rootPath.split(separator).filter(Boolean); |
| callback(userPath.length >= rootPath.length && |
| rootPath.every((e, i) => e === userPath[i])); |
| callback(resolved.length >= rootPath.length && |
| rootPath.every((e, i) => e === resolved[i])); |
| }); |
| } |
| @@ -140,7 +142,7 @@ |
| } |
| if (stats.isFile()) { |
| const file = path.parse(requestPath).base; |
| // If the file matches the reject list or is not in the accept list, |
| // then there is no file to serve. |
| if (config.site.reject.some((expression) => expression.test(file)) || |
| @@ -180,6 +182,8 @@ |
| path.join(root, trimmedPath) : |
| path.resolve(root, trimmedPath); |
| // Check for path traversals early on and bail if the requested path does not |
| // lie within the specified document root. |
| isRooted(requestPath, root, path.sep, (rooted) => { |
| if (!rooted) { |
| process.nextTick(() => { |