Fileserver: Check for valid file paths

core/modules/server/routes/get-file.js

@@ -21,21 +21,28 @@ exports.handler = function(request,response,state) {
 		fs = require("fs"),
 		util = require("util"),
 		suppliedFilename = decodeURIComponent(state.params[0]),
-		filename = path.resolve(state.boot.wikiPath,"files",suppliedFilename),
+		baseFilename = path.resolve(state.boot.wikiPath,"files"),
+		filename = path.resolve(baseFilename,suppliedFilename),
 		extension = path.extname(filename);
-	fs.readFile(filename,function(err,content) {
-		var status,content,type = "text/plain";
-		if(err) {
-			console.log("Error accessing file " + filename + ": " + err.toString());
-			status = 404;
-			content = "File '" + suppliedFilename + "' not found";
-		} else {
-			status = 200;
-			content = content;
-			type = ($tw.config.fileExtensionInfo[extension] ? $tw.config.fileExtensionInfo[extension].type : "application/octet-stream");
-		}
-		state.sendResponse(status,{"Content-Type": type},content);
-	});
+	// Check that the filename is inside the wiki files folder
+	if(path.relative(baseFilename,filename).indexOf("..") !== 0) {
+		// Send the file
+		fs.readFile(filename,function(err,content) {
+			var status,content,type = "text/plain";
+			if(err) {
+				console.log("Error accessing file " + filename + ": " + err.toString());
+				status = 404;
+				content = "File '" + suppliedFilename + "' not found";
+			} else {
+				status = 200;
+				content = content;
+				type = ($tw.config.fileExtensionInfo[extension] ? $tw.config.fileExtensionInfo[extension].type : "application/octet-stream");
+			}
+			state.sendResponse(status,{"Content-Type": type},content);
+		});
+	} else {
+		state.sendResponse(404,{"Content-Type": "text/plain"},"File '" + suppliedFilename + "' not found");
+	}
 };
 
 }());