Fixed parent directory access hole.

The parent directory regex was not strict enough. Added unit test.
mhansen · Sep 20, 2010 · a400cff · a400cff
1 parent 288afdd
commit a400cff
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/lib/antinode.js b/lib/antinode.js
@@ -87,7 +87,7 @@ function map_request_to_local_file(req, resp) {
     //if the parsed url doesn't have a pathname, default to '/'
     var pathname = (url.pathname || '/');
     var clean_pathname = pathname.
-        replace(/\.\.\//g,''). //disallow parent directory access
+        replace(/\.\.\.*\/\/*/g,''). //disallow parent directory access
             replace(/\%20/g,' ');  //convert spaces
 
     function select_vhost() {

diff --git a/tests/test-path-security.js b/tests/test-path-security.js
@@ -0,0 +1,18 @@
+require('./common');
+
+exports["don't allow access to files outside of basedir"] = function (test) {
+    antinode.start(settings, function() {
+        test_http(test, {
+                      'method':'GET',
+                      'pathname':'/....//scripthost.js',
+                      'headers': { 'host' : 'default-host' }
+                    }, {
+                      'statusCode': 404,
+                      'body':''
+                    },
+          function () {
+              antinode.stop();
+              test.done();
+        });
+    });
+};