[PATCH] Don't let path.normalize get above the root.
3 views
Skip to first unread message
Isaac Schlueter
Jul 31, 2010, 9:06:45 PM7/31/10
to nod...@googlegroups.com, Ryan Dahl
Any path.join or path.normalize that starts with a / will not go
"above" that after normalization. This is important because /../foo
is almost *always* some sort of error, and doesn't match the corollary
in sh: `cd $p; pwd`
"above" that after normalization. This is important because /../foo
is almost *always* some sort of error, and doesn't match the corollary
in sh: `cd $p; pwd`
At the worse, this can be a vector for exploits, since a static file
server might do path.join(docroot, path.normalize("/"+req)) to get the
file. If the normalized request path could be something like
"/../../../etc/passwd" then bad things could happen.
http://github.com/isaacs/node/commit/3a3f8de6170351ff83ec6c46d456a6476193ac0e
--i
r...@tinyclouds.org
Aug 1, 2010, 11:22:04 PM8/1/10
to Isaac Schlueter, nod...@googlegroups.com
Thank you. Committed in 65037ee.
Reply all
Reply to author
Forward
0 new messages