mirror of
https://github.com/terribleplan/next.js.git
synced 2024-01-19 02:48:18 +00:00
Merge branch 'fix-dir-traversal-error'
This commit is contained in:
commit
02fe7cf63f
|
@ -1,4 +1,4 @@
|
||||||
import { resolve, join } from 'path'
|
import { resolve, join, sep } from 'path'
|
||||||
import { parse as parseUrl } from 'url'
|
import { parse as parseUrl } from 'url'
|
||||||
import { parse as parseQs } from 'querystring'
|
import { parse as parseQs } from 'querystring'
|
||||||
import fs from 'fs'
|
import fs from 'fs'
|
||||||
|
@ -295,6 +295,10 @@ export default class Server {
|
||||||
}
|
}
|
||||||
|
|
||||||
async serveStatic (req, res, path) {
|
async serveStatic (req, res, path) {
|
||||||
|
if (!this.isServeableUrl(path)) {
|
||||||
|
return this.render404(req, res)
|
||||||
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
return await serveStatic(req, res, path)
|
return await serveStatic(req, res, path)
|
||||||
} catch (err) {
|
} catch (err) {
|
||||||
|
@ -306,6 +310,19 @@ export default class Server {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
isServeableUrl (path) {
|
||||||
|
const resolved = resolve(path)
|
||||||
|
if (
|
||||||
|
resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
|
||||||
|
resolved.indexOf(join(this.dir, 'static') + sep) !== 0
|
||||||
|
) {
|
||||||
|
// Seems like the user is trying to traverse the filesystem.
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
isInternalUrl (req) {
|
isInternalUrl (req) {
|
||||||
for (const prefix of internalPrefixes) {
|
for (const prefix of internalPrefixes) {
|
||||||
if (prefix.test(req.url)) {
|
if (prefix.test(req.url)) {
|
||||||
|
|
Loading…
Reference in a new issue