Handle malformed URIs as bad requests in the development webserver

Fixes #10445 (found by Dhiraj Mishra).
This commit is contained in:
Tim van der Meij 2019-01-13 14:50:27 +01:00
parent 35415b935c
commit 6279fc601a
No known key found for this signature in database
GPG Key ID: 8C3FD2925A5F2762

View File

@ -80,10 +80,19 @@ WebServer.prototype = {
_handler: function (req, res) { _handler: function (req, res) {
var url = req.url.replace(/\/\//g, '/'); var url = req.url.replace(/\/\//g, '/');
var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url); var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
// guard against directory traversal attacks, try {
// e.g. /../../../../../../../etc/passwd // Guard against directory traversal attacks such as
// which let you make GET requests for files outside of this.root // `/../../../../../../../etc/passwd`, which let you make GET requests
var pathPart = path.normalize(decodeURI(urlParts[1])); // for files outside of `this.root`.
var pathPart = path.normalize(decodeURI(urlParts[1]));
} catch (ex) {
// If the URI cannot be decoded, a `URIError` is thrown. This happens for
// malformed URIs such as `http://localhost:8888/%s%s` and should be
// handled as a bad request.
res.writeHead(400);
res.end('Bad request', 'utf8');
return;
}
var queryPart = urlParts[3]; var queryPart = urlParts[3];
var verbose = this.verbose; var verbose = this.verbose;