From 4849f76c42bb6d9ee0dce75c4a2924592ac68134 Mon Sep 17 00:00:00 2001 From: andyhu Date: Tue, 3 Feb 2015 06:12:06 +0800 Subject: [PATCH 1/5] Update index.js --- index.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.js b/index.js index 36866e2..7913397 100644 --- a/index.js +++ b/index.js @@ -85,7 +85,7 @@ module.exports = function (root, options) { path = resolve(root, path) // hidden file support - if (!hidden && leadingDot(path)) return + if (!hidden && isHidden(path)) return var file = yield* get(path) if (!file) return // 404 @@ -245,8 +245,8 @@ function ignoreStatError(err) { throw err } -function leadingDot(path) { - return '.' === basename(path)[0] +function isHidden(path) { + return /[\\\/]\./.test(path); } function random() { From 8766368927b9c84eb82fc8732e18726ea6ec1a85 Mon Sep 17 00:00:00 2001 From: andyhu Date: Tue, 3 Feb 2015 06:19:16 +0800 Subject: [PATCH 2/5] move path checking code before resolve Since we shouldn't match the result in base path. For example '/var/.webroot/abc.txt' --- index.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.js b/index.js index 7913397..107d146 100644 --- a/index.js +++ b/index.js @@ -81,12 +81,12 @@ module.exports = function (root, options) { var directory = path === '' || path.slice(-1) === '/' if (index && directory) path += 'index.html' - // regular paths can not be absolute - path = resolve(root, path) - // hidden file support if (!hidden && isHidden(path)) return + // regular paths can not be absolute + path = resolve(root, path) + var file = yield* get(path) if (!file) return // 404 From db84414be6950a547da7a612e0dbde9169dbb78f Mon Sep 17 00:00:00 2001 From: andyhu Date: Tue, 3 Feb 2015 06:33:28 +0800 Subject: [PATCH 3/5] Update index.js fix the broken test. sorry it's a bit ugly used regex `look behind` (negative matching) clause --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 107d146..dc57f8d 100644 --- a/index.js +++ b/index.js @@ -246,7 +246,7 @@ function ignoreStatError(err) { } function isHidden(path) { - return /[\\\/]\./.test(path); + return /[\\\/]\.(?!\.[\\\/])/.test(path); } function random() { From e59caec72fdc665a6f2f37fe1880bfe640d601a8 Mon Sep 17 00:00:00 2001 From: andyhu Date: Tue, 3 Feb 2015 07:48:32 +0800 Subject: [PATCH 4/5] add comments for the brain melting regex --- index.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/index.js b/index.js index dc57f8d..1aafdba 100644 --- a/index.js +++ b/index.js @@ -246,6 +246,10 @@ function ignoreStatError(err) { } function isHidden(path) { + // unescaped version: /[/\].(?!.[/\])/ + // [\/] matches a path separator, . matches leading dot + // while (?!.[/\]) makes sure that something like /../ should not be matched + // and is passed to resove-path to get the correct error response return /[\\\/]\.(?!\.[\\\/])/.test(path); } From 7e80c32f62fda470fc4ecffbc9501f4e6fd0de87 Mon Sep 17 00:00:00 2001 From: andyhu Date: Tue, 3 Feb 2015 09:29:57 +0800 Subject: [PATCH 5/5] Update index.js --- index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.js b/index.js index 1aafdba..1542aac 100644 --- a/index.js +++ b/index.js @@ -250,7 +250,7 @@ function isHidden(path) { // [\/] matches a path separator, . matches leading dot // while (?!.[/\]) makes sure that something like /../ should not be matched // and is passed to resove-path to get the correct error response - return /[\\\/]\.(?!\.[\\\/])/.test(path); + return /(^|[\\\/])\.(?!\.[\\\/])/.test(path); } function random() {