You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
var staticHandler = function(request, response) {
var path = request.url;
fs.readFile(__dirname + path, function(err, content) {
doesn't validate the url, so there is nothing stopping it from being e.g. /../spec/server.key (given a few lines later). Given that people are likely to copy the example, setting a safe precedent might be a good idea! :-)
The text was updated successfully, but these errors were encountered:
That's a really good point, I don't want people to put that code in production. Is there a library for automatically sanitising the path? Otherwise I could add something like this to detect path traversal:
The example server.js:
doesn't validate the url, so there is nothing stopping it from being e.g.
/../spec/server.key
(given a few lines later). Given that people are likely to copy the example, setting a safe precedent might be a good idea! :-)The text was updated successfully, but these errors were encountered: