mirror of
https://github.com/terribleplan/next.js.git
synced 2024-01-19 02:48:18 +00:00
Merge branch 'fix-dir-traversal-error'
This commit is contained in:
commit
02fe7cf63f
|
@ -1,4 +1,4 @@
|
|||
import { resolve, join } from 'path'
|
||||
import { resolve, join, sep } from 'path'
|
||||
import { parse as parseUrl } from 'url'
|
||||
import { parse as parseQs } from 'querystring'
|
||||
import fs from 'fs'
|
||||
|
@ -295,6 +295,10 @@ export default class Server {
|
|||
}
|
||||
|
||||
async serveStatic (req, res, path) {
|
||||
if (!this.isServeableUrl(path)) {
|
||||
return this.render404(req, res)
|
||||
}
|
||||
|
||||
try {
|
||||
return await serveStatic(req, res, path)
|
||||
} catch (err) {
|
||||
|
@ -306,6 +310,19 @@ export default class Server {
|
|||
}
|
||||
}
|
||||
|
||||
isServeableUrl (path) {
|
||||
const resolved = resolve(path)
|
||||
if (
|
||||
resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
|
||||
resolved.indexOf(join(this.dir, 'static') + sep) !== 0
|
||||
) {
|
||||
// Seems like the user is trying to traverse the filesystem.
|
||||
return false
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
|
||||
isInternalUrl (req) {
|
||||
for (const prefix of internalPrefixes) {
|
||||
if (prefix.test(req.url)) {
|
||||
|
|
Loading…
Reference in a new issue