Skip to content

Commit c032d29

Browse files
committed
Fix returning 403 Forbidden on Windows #6109
1 parent ba62cae commit c032d29

2 files changed

Lines changed: 11 additions & 2 deletions

File tree

CHANGELOG.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,11 @@
11

2+
## 7.0.2
3+
4+
### Bug Fixes
5+
6+
- Fix `pm2 serve` returning 403 Forbidden on Windows — traversal guard used hardcoded `/` separator #6109
7+
8+
29
## 7.0.1
310

411
### Bug Fixes

lib/API/Serve.js

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -250,11 +250,13 @@ http.createServer(function (request, response) {
250250
function serveFile(uri, request, response) {
251251
var file = decodeURIComponent(new URL(uri || request.url, 'http://localhost').pathname);
252252

253-
var filePath = path.resolve(options.path + file);
253+
var rootPath = path.resolve(options.path);
254+
var filePath = path.resolve(rootPath + file);
254255

255256
// since we call filesystem directly so we need to verify that the
256257
// url doesn't go outside the serve path
257-
if (filePath !== options.path && !filePath.startsWith(options.path + '/')) {
258+
var relative = path.relative(rootPath, filePath);
259+
if (relative !== '' && (relative.startsWith('..') || path.isAbsolute(relative))) {
258260
response.writeHead(403, { 'Content-Type': 'text/html' });
259261
return response.end('403 Forbidden');
260262
}

0 commit comments

Comments
 (0)