ensure that resource path is a child of the root path in resource middleware

macchiato-framework / macchiato-core

Ring style HTTP server abstraction for Node.js

MIT License

377 stars 35 forks source link

ensure that resource path is a child of the root path in resource middleware #10

Closed yogthos closed 7 years ago

yogthos commented 7 years ago

Currently, resource middleware doesn't ensure that the resource path is a child of the root path. So paths such as //../org/some-file could read files outside the resource path.

yogthos commented 7 years ago

fixed by https://github.com/macchiato-framework/macchiato-core/commit/9aa41bcb9c839d40d2b2a412c3771bd84add143a