From 8e2dca16b219deb72e66538b6f16063f73cd53b1 Mon Sep 17 00:00:00 2001 From: Jafar Akhondali Date: Tue, 30 Jul 2024 19:29:50 +0200 Subject: [PATCH] Block malicious looking requests to prevent path traversal attacks. --- http.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/http.js b/http.js index 86f59b6..4fb1780 100644 --- a/http.js +++ b/http.js @@ -274,6 +274,11 @@ HTTP = { if(!pathName) pathName = defaultUrl; pathName = pathName ? (CONFIG.homedir?(CONFIG.homedir+'/'+pathName):pathName) : defaultUrl; self.route.bind(self)(pathName, request, response); + if (path.normalize(decodeURI(request.url)) !== decodeURI(request.url)) { + response.statusCode = 403; + response.end(); + return; + } }); } };