From 89e2fb1df1e4972aa93174a3be501bf6b0c21272 Mon Sep 17 00:00:00 2001
From: David Glasser <glasser@meteor.com>
Date: Wed, 10 Jul 2013 16:39:20 -0700
Subject: [PATCH] Fix static file serving tests now that we've changed how
 static files are served.

Some things that used to serve 403s now serve app HTML. Some paths with ..'s
that used to resolve to actual app resources now don't.
---
 packages/http/httpcall_tests.js | 40 ++++++++++++++++++---------------
 1 file changed, 22 insertions(+), 18 deletions(-)

diff --git a/packages/http/httpcall_tests.js b/packages/http/httpcall_tests.js
index 115806ab05..fddf48b032 100644
--- a/packages/http/httpcall_tests.js
+++ b/packages/http/httpcall_tests.js
@@ -441,33 +441,37 @@ if (Meteor.isServer) {
           }));
       };
 
-      // no such file
-      do_test("/nosuchfile", 200, /DOCTYPE/);
-      do_test("/../nosuchfile", 403);
-      do_test("/%2e%2e/nosuchfile", 403);
-      do_test("/%2E%2E/nosuchfile", 403);
-      do_test("/%2d%2d/nosuchfile", 200, /DOCTYPE/);
-
       // existing static file
-      var succeeds = [
-        "/packages/http/test_static.serveme",
+      do_test("/packages/http/test_static.serveme", 200, /static file serving/);
+
+      // no such file, so return the default app HTML.
+      var getsAppHtml = [
+        // This file doesn't exist.
+        "/nosuchfile",
+
+        // Our static file serving doesn't process .. or its encoded version, so
+        // any of these return the app HTML.
+        "/../nosuchfile",
+        "/%2e%2e/nosuchfile",
+        "/%2E%2E/nosuchfile",
+        "/%2d%2d/nosuchfile",
         "/packages/http/../http/test_static.serveme",
         "/packages/http/%2e%2e/http/test_static.serveme",
         "/packages/http/%2E%2E/http/test_static.serveme",
         "/packages/http/../../packages/http/test_static.serveme",
         "/packages/http/%2e%2e/%2e%2e/packages/http/test_static.serveme",
         "/packages/http/%2E%2E/%2E%2E/packages/http/test_static.serveme",
+
+        // ... and they *definitely* shouldn't be able to escape the app bundle.
+        "/packages/http/../../../../../../packages/http/test_static.serveme",
+        "/../../../../../../../../../../../bin/ls",
+        "/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls",
+        "/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls"
       ];
-      _.each(succeeds, function (path) {
-        do_test(path, 200, /static file serving/);
+
+      _.each(getsAppHtml, function (x) {
+        do_test(x, 200, /<title>Tests<\/title/);
       });
-      do_test("/packages/http/../../../../../../packages/http/test_static.serveme", 403);
-
-      // file outside of our app
-      do_test("/../../../../../../../../../../../bin/ls", 403);
-      do_test("/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/bin/ls", 403);
-      do_test("/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/bin/ls", 403);
-
     }
   ]);
 }