github/meteor
1
1
Fork 0
mirror of https://github.com/meteor/meteor.git synced 2026-05-02 03:01:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fix static file serving tests now that we've changed how static files are

Browse Source 
served.

Some things that used to serve 403s now serve app HTML. Some paths with ..'s
that used to resolve to actual app resources now don't.
This commit is contained in:
David Glasser
2013-07-10 16:39:20 -07:00
parent faf49921be
commit 89e2fb1df1
1 changed files with 22 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
packages/http/httpcall_tests.js
View File

@@ -441,33 +441,37 @@ if (Meteor.isServer) {
}));
};
// no such file
do_test("/nosuchfile", 200, /DOCTYPE/);
do_test("/../nosuchfile", 403);
do_test("/%2e%2e/nosuchfile", 403);
do_test("/%2E%2E/nosuchfile", 403);
do_test("/%2d%2d/nosuchfile", 200, /DOCTYPE/);
// existing static file
var succeeds = [
"/packages/http/test_static.serveme",
do_test("/packages/http/test_static.serveme", 200, /static file serving/);
// no such file, so return the default app HTML.
var getsAppHtml = [
// This file doesn't exist.
"/nosuchfile",
// Our static file serving doesn't process .. or its encoded version, so
// any of these return the app HTML.
"/../nosuchfile",
"/%2e%2e/nosuchfile",
"/%2E%2E/nosuchfile",
"/%2d%2d/nosuchfile",
"/packages/http/../http/test_static.serveme",
"/packages/http/%2e%2e/http/test_static.serveme",
"/packages/http/%2E%2E/http/test_static.serveme",
"/packages/http/../../packages/http/test_static.serveme",
"/packages/http/%2e%2e/%2e%2e/packages/http/test_static.serveme",
"/packages/http/%2E%2E/%2E%2E/packages/http/test_static.serveme",
// ... and they *definitely* shouldn't be able to escape the app bundle.
"/packages/http/../../../../../../packages/http/test_static.serveme",
"/../../../../../../../../../../../bin/ls",
"/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls",
"/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls"
];
_.each(succeeds, function (path) {
do_test(path, 200, /static file serving/);
_.each(getsAppHtml, function (x) {
do_test(x, 200, /<title>Tests<\/title/);
});
do_test("/packages/http/../../../../../../packages/http/test_static.serveme", 403);
// file outside of our app
do_test("/../../../../../../../../../../../bin/ls", 403);
do_test("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls", 403);
do_test("/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls", 403);
}
]);
}