File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 11
2+ ## 7.0.2
3+
4+ ### Bug Fixes
5+
6+ - Fix ` pm2 serve ` returning 403 Forbidden on Windows — traversal guard used hardcoded ` / ` separator #6109
7+
8+
29## 7.0.1
310
411### Bug Fixes
Original file line number Diff line number Diff line change @@ -250,11 +250,13 @@ http.createServer(function (request, response) {
250250function serveFile ( uri , request , response ) {
251251 var file = decodeURIComponent ( new URL ( uri || request . url , 'http://localhost' ) . pathname ) ;
252252
253- var filePath = path . resolve ( options . path + file ) ;
253+ var rootPath = path . resolve ( options . path ) ;
254+ var filePath = path . resolve ( rootPath + file ) ;
254255
255256 // since we call filesystem directly so we need to verify that the
256257 // url doesn't go outside the serve path
257- if ( filePath !== options . path && ! filePath . startsWith ( options . path + '/' ) ) {
258+ var relative = path . relative ( rootPath , filePath ) ;
259+ if ( relative !== '' && ( relative . startsWith ( '..' ) || path . isAbsolute ( relative ) ) ) {
258260 response . writeHead ( 403 , { 'Content-Type' : 'text/html' } ) ;
259261 return response . end ( '403 Forbidden' ) ;
260262 }
You can’t perform that action at this time.
0 commit comments