terribleplan/next.js
1
0
Fork 0
mirror of https://github.com/terribleplan/next.js.git synced 2024-01-19 02:48:18 +00:00
Code Issues Releases Wiki Activity

Implement the fix.

Browse source
This commit is contained in:
Arunoda Susiripala 2017-06-01 05:46:32 +05:30
parent 442c611d49
commit 43c447edd0
1 changed files with 18 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
server/index.js
View file

@ -1,4 +1,4 @@
import { resolve, join } from 'path' import { resolve, join, sep } from 'path'
import { parse as parseUrl } from 'url' import { parse as parseUrl } from 'url'
import { parse as parseQs } from 'querystring' import { parse as parseQs } from 'querystring'
import fs from 'fs' import fs from 'fs'
@ -295,6 +295,10 @@ export default class Server {
} }
async serveStatic (req, res, path) { async serveStatic (req, res, path) {
if (!this.isServeableUrl(path)) {
return this.render404(req, res)
}
try { try {
return await serveStatic(req, res, path) return await serveStatic(req, res, path)
} catch (err) { } catch (err) {
@ -306,6 +310,19 @@ export default class Server {
} }
} }
isServeableUrl (path) {
const resolved = resolve(path)
if (
resolved.indexOf(join(this.dir, this.dist) + sep) !== 0 &&
resolved.indexOf(join(this.dir, 'static') + sep) !== 0
) {
// Seems like the user is trying to traverse the filesystem.
return false
}
return true
}
isInternalUrl (req) { isInternalUrl (req) {
for (const prefix of internalPrefixes) { for (const prefix of internalPrefixes) {
if (prefix.test(req.url)) { if (prefix.test(req.url)) {