Merge pull request #2617 from devoidfury/fix/windows-issue-2614

revert to old path handling, but strip out "..". fixes #2614
pull/2636/head
John McLear 2015-04-15 20:38:02 +01:00
commit ee10a21d82
1 changed files with 4 additions and 0 deletions

View File

@ -143,8 +143,11 @@ function minify(req, res, next)
// No relative paths, especially if they may go up the file hierarchy.
filename = path.normalize(path.join(ROOT_DIR, filename));
filename = filename.replace(/\.\./g, '')
if (filename.indexOf(ROOT_DIR) == 0) {
filename = filename.slice(ROOT_DIR.length);
filename = filename.replace(/\\/g, '/')
} else {
res.writeHead(404, {});
res.end();
@ -165,6 +168,7 @@ function minify(req, res, next)
var plugin = plugins.plugins[library];
var pluginPath = plugin.package.realPath;
filename = path.relative(ROOT_DIR, pluginPath + libraryPath);
filename = filename.replace(/\\/g, '/'); // windows path fix
} else if (LIBRARY_WHITELIST.indexOf(library) != -1) {
// Go straight into node_modules
// Avoid `require.resolve()`, since 'mustache' and 'mustache/index.js'