Instantly share code, notes, and snippets.

What would you like to do?
paperboy patch
exports.filepath = function (webroot, url) {
var pathSep=process.platform ==='win32' ? '\\' : '/';
// Unescape URL to prevent security holes
url = decodeURIComponent(url);
// Append index.html if path ends with '/'
fp = path.normalize(path.join(webroot, (url.match(/\/$/)=='/') ? url+'index.html' : url));
// Sanitize input, make sure people can't use .. to get above webroot
if (webroot[webroot.length - 1] !== pathSep) webroot += pathSep;
if (fp.substr(0, webroot.length) != webroot)
return(['Permission Denied', null]);
return([null, fp.replace('/',pathSep)]);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment