diff -urN package.orig/lib/send.js package/lib/send.js
--- package.orig/lib/send.js 2014-04-24 07:34:09.000000000 -0700
+++ package/lib/send.js 2014-09-24 05:11:48.577758689 -0700
@@ -362,7 +362,7 @@
if (this.isMalicious()) return this.error(403);
// malicious path
- if (root && 0 != path.indexOf(root)) return this.error(403);
+ if (root && 0 != path.indexOf(root.indexOf('/', root.length - 1) == -1 ? root + '/': root)) return this.error(403);
// hidden file support
if (!this._hidden && this.hasLeadingDot()) return this.error(404);
diff -urN package.orig/test/fixtures/name.d/name.txt package/test/fixtures/name.d/name.txt
--- package.orig/test/fixtures/name.d/name.txt 1969-12-31 17:00:00.000000000 -0700
+++ package/test/fixtures/name.d/name.txt 2014-09-24 04:44:35.879434279 -0700
@@ -0,0 +1 @@
+loki
\ No newline at end of file
diff -urN package.orig/test/send.js package/test/send.js
--- package.orig/test/send.js 2014-04-25 09:02:45.000000000 -0700
+++ package/test/send.js 2014-09-24 04:59:05.175041255 -0700
@@ -511,6 +511,17 @@
.end(done);
})
+ it('should with with trailing slash', function(done){
+ var app = http.createServer(function(req, res){
+ send(req, req.url, {root: __dirname + '/fixtures/'})
+ .pipe(res);
+ });
+
+ request(app)
+ .get('/name.txt')
+ .expect(200, 'tobi', done)
+ })
+
it('should restrict paths to within root', function(done){
var app = http.createServer(function(req, res){
send(req, req.url, {root: __dirname + '/fixtures'})
@@ -535,6 +546,17 @@
.expect('Forbidden')
.end(done);
})
+
+ it('should not allow root transversal', function(done){
+ var app = http.createServer(function(req, res){
+ send(req, req.url, {root: __dirname + '/fixtures/name.d'})
+ .pipe(res);
+ });
+
+ request(app)
+ .get('/../name.dir/name.txt')
+ .expect(403, done)
+ })
})
describe('when missing', function(){