return 403 error if symlink destination is outside files root

pillarjs · Jan 21, 2016 · 92c82e1 · 92c82e1
1 parent 2f6314f
commit 92c82e1
Showing 1 changed file with 8 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -452,9 +452,15 @@ SendStream.prototype.redirectSymbolicLink = function redirectSymbolicLink(path)
   {
     if (err) return self.onStatError(err)
 
+    // Get absolute path on the real filesystem of the destination
+    path = dirname(path)
+    var to = resolve(path, linkString)
+
+    // Check destination is not out of files root
+    if(to.indexOf(self._root) !== 0) return this.error(403)
+
     // Get relative paths for all symlinks, also for absolute ones
-    path       = dirname(path)
-    linkString = relative(path, resolve(path, linkString))
+    linkString = relative(path, to)
 
     // Resolve the URL, and make it relative (is this necessary?)
     linkString = url.resolve(self.path, linkString)