node-http-server
/src/handler.js |
@@ -12,11 +12,13 @@ |
|
// Checks whether userPath is a child of rootPath. |
function isRooted(userPath, rootPath, separator, callback) { |
process.nextTick(() => { |
userPath = userPath.split(separator).filter(Boolean); |
fs.realpath(userPath, (error, resolved) => { |
if (error) |
return false; |
resolved = resolved.split(separator).filter(Boolean); |
rootPath = rootPath.split(separator).filter(Boolean); |
callback(userPath.length >= rootPath.length && |
rootPath.every((e, i) => e === userPath[i])); |
callback(resolved.length >= rootPath.length && |
rootPath.every((e, i) => e === resolved[i])); |
}); |
} |
|
@@ -140,7 +142,7 @@ |
} |
if (stats.isFile()) { |
const file = path.parse(requestPath).base; |
|
|
// If the file matches the reject list or is not in the accept list, |
// then there is no file to serve. |
if (config.site.reject.some((expression) => expression.test(file)) || |
@@ -180,6 +182,8 @@ |
path.join(root, trimmedPath) : |
path.resolve(root, trimmedPath); |
|
// Check for path traversals early on and bail if the requested path does not |
// lie within the specified document root. |
isRooted(requestPath, root, path.sep, (rooted) => { |
if (!rooted) { |
process.nextTick(() => { |