Remove '..' param check which is no longer required. Closes #5

hapijs · May 9, 2016 · 7251728 · 7251728
1 parent 0a6b551
commit 7251728
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 13 deletions.
diff --git a/lib/directory.js b/lib/directory.js
@@ -77,16 +77,7 @@ exports.handler = function (route, options) {
 
         // Append parameter
 
-        let selection = null;
-        const lastParam = request.paramsArray[request.paramsArray.length - 1];
-        if (lastParam) {
-            if (lastParam.indexOf('..') !== -1) {
-                return reply(Boom.forbidden());
-            }
-
-            selection = lastParam;
-        }
-
+        const selection = request.paramsArray[request.paramsArray.length - 1];
         if (selection &&
             !settings.showHidden &&
             internals.isFileHidden(selection)) {

diff --git a/test/security.js b/test/security.js
@@ -40,7 +40,7 @@ describe('security', () => {
 
         server.inject('/%00/../security.js', (res) => {
 
-            expect(res.statusCode).to.equal(403);
+            expect(res.statusCode).to.equal(404);
             done();
         });
     });
@@ -76,7 +76,7 @@ describe('security', () => {
 
         server.inject('/..%252Fsecurity.js', (res) => {
 
-            expect(res.statusCode).to.equal(403);
+            expect(res.statusCode).to.equal(404);
             done();
         });
     });
@@ -88,7 +88,7 @@ describe('security', () => {
 
         server.inject('/..\u2216security.js', (res) => {
 
-            expect(res.statusCode).to.equal(403);
+            expect(res.statusCode).to.equal(404);
             done();
         });
     });