Merge pull request #10304 from april/master

Add protection against directory traversal attacks
mozilla · Dec 10, 2018 · 2f4c7e0 · 2f4c7e0
2 parents 45c0197 + 64cb8c6
commit 2f4c7e0
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/test/webserver.js b/test/webserver.js
@@ -80,7 +80,11 @@ WebServer.prototype = {
   _handler: function (req, res) {
     var url = req.url.replace(/\/\//g, '/');
     var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
-    var pathPart = decodeURI(urlParts[1]), queryPart = urlParts[3];
+    // guard against directory traversal attacks,
+    // e.g. /../../../../../../../etc/passwd
+    // which let you make GET requests for files outside of this.root
+    var pathPart = path.normalize(decodeURI(urlParts[1]));
+    var queryPart = urlParts[3];
     var verbose = this.verbose;
 
     var methodHooks = this.hooks[req.method];