Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #10447 from timvandermeij/bad-request

Browse Source 
Handle malformed URIs as bad requests in the development webserver
This commit is contained in:
Tim van der Meij 2019-01-13 15:09:17 +01:00 committed by GitHub
commit 5efc902fb8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
test/webserver.js
View File

@ -80,10 +80,19 @@ WebServer.prototype = {
_handler: function (req, res) {
var url = req.url.replace(/\/\//g, '/');
var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
// guard against directory traversal attacks,
// e.g. /../../../../../../../etc/passwd
// which let you make GET requests for files outside of this.root
var pathPart = path.normalize(decodeURI(urlParts[1]));
try {
// Guard against directory traversal attacks such as
// `/../../../../../../../etc/passwd`, which let you make GET requests
// for files outside of `this.root`.
var pathPart = path.normalize(decodeURI(urlParts[1]));
} catch (ex) {
// If the URI cannot be decoded, a `URIError` is thrown. This happens for
// malformed URIs such as `http://localhost:8888/%s%s` and should be
// handled as a bad request.
res.writeHead(400);
res.end('Bad request', 'utf8');
return;
}
var queryPart = urlParts[3];
var verbose = this.verbose;