[nodejs-send/el6: 2/2] fix directory traversal vulnerability (RHBZ#1146063)
T.C. Hollingsworth
patches at fedoraproject.org
Wed Sep 24 12:25:53 UTC 2014
commit aee871ed988c104cc6b1242af7fd447e8b8b2adb
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date: Wed Sep 24 05:24:09 2014 -0700
fix directory traversal vulnerability (RHBZ#1146063)
nodejs-send-root-traversal.patch | 57 ++++++++++++++++++++++++++++++++++++++
nodejs-send.spec | 5 ++-
2 files changed, 61 insertions(+), 1 deletions(-)
---
diff --git a/nodejs-send-root-traversal.patch b/nodejs-send-root-traversal.patch
new file mode 100644
index 0000000..1a70898
--- /dev/null
+++ b/nodejs-send-root-traversal.patch
@@ -0,0 +1,57 @@
+diff -urN package.orig/lib/send.js package/lib/send.js
+--- package.orig/lib/send.js 2014-04-24 07:34:09.000000000 -0700
++++ package/lib/send.js 2014-09-24 05:11:48.577758689 -0700
+@@ -362,7 +362,7 @@
+ if (this.isMalicious()) return this.error(403);
+
+ // malicious path
+- if (root && 0 != path.indexOf(root)) return this.error(403);
++ if (root && 0 != path.indexOf(root.indexOf('/', root.length - 1) == -1 ? root + '/': root)) return this.error(403);
+
+ // hidden file support
+ if (!this._hidden && this.hasLeadingDot()) return this.error(404);
+diff -urN package.orig/test/fixtures/name.d/name.txt package/test/fixtures/name.d/name.txt
+--- package.orig/test/fixtures/name.d/name.txt 1969-12-31 17:00:00.000000000 -0700
++++ package/test/fixtures/name.d/name.txt 2014-09-24 04:44:35.879434279 -0700
+@@ -0,0 +1 @@
++loki
+\ No newline at end of file
+diff -urN package.orig/test/send.js package/test/send.js
+--- package.orig/test/send.js 2014-04-25 09:02:45.000000000 -0700
++++ package/test/send.js 2014-09-24 04:59:05.175041255 -0700
+@@ -511,6 +511,17 @@
+ .end(done);
+ })
+
++ it('should with with trailing slash', function(done){
++ var app = http.createServer(function(req, res){
++ send(req, req.url, {root: __dirname + '/fixtures/'})
++ .pipe(res);
++ });
++
++ request(app)
++ .get('/name.txt')
++ .expect(200, 'tobi', done)
++ })
++
+ it('should restrict paths to within root', function(done){
+ var app = http.createServer(function(req, res){
+ send(req, req.url, {root: __dirname + '/fixtures'})
+@@ -535,6 +546,17 @@
+ .expect('Forbidden')
+ .end(done);
+ })
++
++ it('should not allow root transversal', function(done){
++ var app = http.createServer(function(req, res){
++ send(req, req.url, {root: __dirname + '/fixtures/name.d'})
++ .pipe(res);
++ });
++
++ request(app)
++ .get('/../name.dir/name.txt')
++ .expect(403, done)
++ })
+ })
+
+ describe('when missing', function(){
diff --git a/nodejs-send.spec b/nodejs-send.spec
index ffad925..b4b6351 100644
--- a/nodejs-send.spec
+++ b/nodejs-send.spec
@@ -5,7 +5,7 @@
Name: nodejs-send
Version: 0.3.0
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: Better streaming static file server with Range and conditional-GET support
License: MIT
Group: System Environment/Libraries
@@ -76,6 +76,9 @@ cp -pr package.json index.js lib/ \
%changelog
+* Wed Sep 24 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 0.3.0-3
+- fix directory traversal vulnerability (RHBZ#1146063)
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 0.3.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list