Avoid path traversal with "../"-filenames

Sebastian.Just · Sebastian.Just · commit e43100a92bce · 2014-09-04T14:27:49.000-04:00
diff --git a/lib/uploadhandler.js b/lib/uploadhandler.js
@@ -174,8 +174,20 @@ module.exports = function (options) {
         var self = this,
             fileName = path.basename(decodeURIComponent(this.req.url));
 
-        fs.unlink(options.uploadDir() + '/' + fileName, function (ex) {
+        var filepath = path.join(options.uploadDir(), fileName);
+        if (filepath.indexOf(options.uploadDir()) !== 0) {
+            self.emit('delete', fileName);
+            self.callback({success: false});            
+            return;
+        }
+        fs.unlink(filepath, function (ex) {
             _.each(options.imageVersions, function (value, version) {
+                var versionfilepath = path.join(options.uploadDir(), version, fileName);
+                if (versionfilepath.indexOf(options.uploadDir()) !== 0) {
+                    self.emit('delete', fileName);
+                    self.callback({success: false});            
+                    return;
+                }
                 fs.unlink(options.uploadDir() + '/' + version + '/' + fileName);
             });
             self.emit('delete', fileName);
