Merge pull request +13343 from c9/standalone-fix-security-m10

sanitize path from URL
2016-04-11 15:32:19 +02:00 · 2016-04-11 15:32:19 +02:00 · 2433da1f70
commit 2433da1f70
--- a/plugins/c9.vfs.standalone/standalone.js
+++ b/plugins/c9.vfs.standalone/standalone.js
@ -176,7 +176,7 @@ function plugin(options, imports, register) {
    
    api.get("/update/:path*", function(req, res, next) {
        var filename = req.params.path;
-        var path = resolve(__dirname + "/../../build/output/" + filename);
+        var path = resolve(__dirname + "/../../build/output/" + resolve("/" + filename));
        
        var stream = fs.createReadStream(path);
        stream.on("error", function(err) {