Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add protection against directory traversal attacks

Browse Source
This commit is contained in:
April King 2018-12-10 12:59:04 -06:00
parent 1cb7cc9bf4
commit 64cb8c6b98
No known key found for this signature in database
GPG Key ID: 1524708D623646A5
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
test/webserver.js
View File

@ -80,7 +80,11 @@ WebServer.prototype = {
_handler: function (req, res) { _handler: function (req, res) {
var url = req.url.replace(/\/\//g, '/'); var url = req.url.replace(/\/\//g, '/');
var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url); var urlParts = /([^?]*)((?:\?(.*))?)/.exec(url);
var pathPart = decodeURI(urlParts[1]), queryPart = urlParts[3]; // guard against directory traversal attacks,
// e.g. /../../../../../../../etc/passwd
// which let you make GET requests for files outside of this.root
var pathPart = path.normalize(decodeURI(urlParts[1]));
var queryPart = urlParts[3];
var verbose = this.verbose; var verbose = this.verbose;
var methodHooks = this.hooks[req.method]; var methodHooks = this.hooks[req.method];