mirror of https://github.com/lukechilds/node.git
Browse Source
Any path.join or path.normalize that starts with a / will not go "above" that after normalization. This is important because /../foo is almost *always* some sort of error, and doesn't match the corollary in sh: `cd $p; pwd` At the worse, this can be a vector for exploits, since a static file server might do path.join(docroot, path.normalize("/"+req)) to get the file. If the normalized request path could be something like "/../../../etc/passwd" then bad things could happen.v0.7.4-release
isaacs
15 years ago
committed by
Ryan Dahl
2 changed files with 6 additions and 0 deletions
Loading…
Reference in new issue