Fix incorrect 403 on Windows and Node.js 0.11

fixes #17
expressjs · Oct 1, 2014 · d4eaa4d · d4eaa4d
1 parent 351c226
commit d4eaa4d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/HISTORY.md b/HISTORY.md
@@ -1,3 +1,8 @@
+unreleased
+==========
+
+ * Fix incorrect 403 on Windows and Node.js 0.11
+
 1.3.0 / 2014-09-20
 ==================
 

diff --git a/index.js b/index.js
@@ -79,8 +79,9 @@ exports = module.exports = function serveIndex(root, options){
   // root required
   if (!root) throw new TypeError('serveIndex() root path required');
 
-  // resolve root to absolute
+  // resolve root to absolute and normalize
   root = resolve(root);
+  root = normalize(root + sep);
 
   var hidden = options.hidden
     , icons = options.icons
@@ -102,21 +103,24 @@ exports = module.exports = function serveIndex(root, options){
     // parse URLs
     var url = parseUrl(req);
     var originalUrl = parseUrl.original(req);
+    var dir = decodeURIComponent(url.pathname);
+    var originalDir = decodeURIComponent(originalUrl.pathname);
 
-    var dir = decodeURIComponent(url.pathname)
-      , path = normalize(join(root, dir))
-      , originalDir = decodeURIComponent(originalUrl.pathname)
-    var showUp = resolve(path) !== root;
+    // join / normalize from root dir
+    var path = normalize(join(root, dir));
 
     // null byte(s), bad request
     if (~path.indexOf('\0')) return next(createError(400));
 
     // malicious path
-    if (path.substr(0, root.length) !== root) {
+    if ((path + sep).substr(0, root.length) !== root) {
       debug('malicious path "%s"', path);
       return next(createError(403));
     }
 
+    // determine ".." display
+    var showUp = normalize(resolve(path) + sep) !== root;
+
     // check if we have a directory
     debug('stat "%s"', path);
     fs.stat(path, function(err, stat){