Directory Traversal

Question

Directory Traversal

Closed this issue 8 years ago · 4 comments

First of all, this is an awesome package with lots of functionalities.

It just has a directory traversal issue, which can be fixed by adding some filtering on the requested url path. To exploit the vulnerability, I can just send a web request say: http://localhost:80/../../../ to browse and retrieve any file on the hosting server.

Notice: the above url does not work with wget or a browser. Try it by using http.get in a Node.js program.

Answer 1 · 2017-04-18T00:45:02.000Z

Thank you for so much concern. that will be fixed within a week. u can also pull request to me

Answer 2 · 2017-04-18T01:29:03.000Z

I have created a pull request. Since I did not find test scripts, hopefully it will not break any existing functionality.

Answer 3 · 2017-05-11T00:08:57.000Z

Cool! Thanks for merging the pull request and patching the package on npm.
Just a friendly reminder: the following packages may need to be patched as well since their source code points to this repo:

Answer 4 · 2017-05-11T01:05:57.000Z

those packages have been all deprecated,