1.3.1

docs: fix non-https badge
deps: supertest@~0.14.0
2014-10-01 11:36:15 -04:00 · 2014-10-01 11:29:54 -04:00 · 2014-10-01 11:07:38 -04:00 · 2014-10-01 11:05:24 -04:00 · 2014-10-01 11:05:11 -04:00
4 changed files with 22 additions and 10 deletions
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,3 +1,11 @@
+1.3.1 / 2014-10-01
+==================
+
+  * Fix incorrect 403 on Windows and Node.js 0.11
+  * deps: accepts@~1.1.1
+    - deps: mime-types@~2.0.2
+    - deps: negotiator@0.4.8
+
 1.3.0 / 2014-09-20
 ==================

--- a/README.md
+++ b/README.md
@@ -117,7 +117,7 @@ are created by/copyright of [FAMFAMFAM](http://www.famfamfam.com/).
 [travis-url]: https://travis-ci.org/expressjs/serve-index
 [coveralls-image]: https://img.shields.io/coveralls/expressjs/serve-index.svg?style=flat
 [coveralls-url]: https://coveralls.io/r/expressjs/serve-index?branch=master
-[downloads-image]: http://img.shields.io/npm/dm/serve-index.svg?style=flat
+[downloads-image]: https://img.shields.io/npm/dm/serve-index.svg?style=flat
 [downloads-url]: https://npmjs.org/package/serve-index
 [gittip-image]: https://img.shields.io/gittip/dougwilson.svg?style=flat
 [gittip-url]: https://www.gittip.com/dougwilson/
--- a/index.js
+++ b/index.js
@@ -79,8 +79,9 @@ exports = module.exports = function serveIndex(root, options){
  // root required
  if (!root) throw new TypeError('serveIndex() root path required');

-  // resolve root to absolute
+  // resolve root to absolute and normalize
  root = resolve(root);
+  root = normalize(root + sep);

  var hidden = options.hidden
    , icons = options.icons
@@ -102,21 +103,24 @@ exports = module.exports = function serveIndex(root, options){
    // parse URLs
    var url = parseUrl(req);
    var originalUrl = parseUrl.original(req);
+    var dir = decodeURIComponent(url.pathname);
+    var originalDir = decodeURIComponent(originalUrl.pathname);

-    var dir = decodeURIComponent(url.pathname)
-      , path = normalize(join(root, dir))
-      , originalDir = decodeURIComponent(originalUrl.pathname)
-    var showUp = resolve(path) !== root;
+    // join / normalize from root dir
+    var path = normalize(join(root, dir));

    // null byte(s), bad request
    if (~path.indexOf('\0')) return next(createError(400));

    // malicious path
-    if (path.substr(0, root.length) !== root) {
+    if ((path + sep).substr(0, root.length) !== root) {
      debug('malicious path "%s"', path);
      return next(createError(403));
    }

+    // determine ".." display
+    var showUp = normalize(resolve(path) + sep) !== root;
+
    // check if we have a directory
    debug('stat "%s"', path);
    fs.stat(path, function(err, stat){
--- a/package.json
+++ b/package.json
@@ -1,12 +1,12 @@
 {
  "name": "serve-index",
  "description": "Serve directory listings",
-  "version": "1.3.0",
+  "version": "1.3.1",
  "author": "Douglas Christopher Wilson <doug@somethingdoug.com>",
  "license": "MIT",
  "repository": "expressjs/serve-index",
  "dependencies": {
-    "accepts": "~1.1.0",
+    "accepts": "~1.1.1",
    "batch": "0.5.1",
    "debug": "~2.0.0",
    "mime-types": "~2.0.1",
@@ -16,7 +16,7 @@
    "istanbul": "0.3.2",
    "mocha": "~1.21.1",
    "should": "~4.0.0",
-    "supertest": "~0.13.0"
+    "supertest": "~0.14.0"
  },
  "files": [
    "public/",
Author	SHA1	Message	Date
Douglas Christopher Wilson	5731ebee6b	1.3.1	2014-10-01 11:36:15 -04:00
Douglas Christopher Wilson	c6b9d3bdbf	docs: fix non-https badge	2014-10-01 11:29:54 -04:00
Douglas Christopher Wilson	4686c18e1d	deps: supertest@~0.14.0	2014-10-01 11:07:38 -04:00
Douglas Christopher Wilson	8a06bb7e19	deps: accepts@~1.1.1	2014-10-01 11:05:24 -04:00
Douglas Christopher Wilson	effbe1a4b0	Fix incorrect 403 on Windows and Node.js 0.11 fixes #17	2014-10-01 11:05:11 -04:00