Merge pull request senchalabs#480 from aheckmann/malformedURI

malformedURIs return 400
path · Feb 23, 2012 · d939271 · d939271
2 parents 480e6bb + 9a20b6c
commit d939271
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 2 deletions.
diff --git a/lib/middleware/static.js b/lib/middleware/static.js
@@ -69,6 +69,24 @@ exports = module.exports = function static(root, options){
 
 exports.mime = mime;
 
+/**
+ * decodeURIComponent.
+ *
+ * Allows V8 to only deoptimize this fn instead of all
+ * of send().
+ *
+ * @param {String} path
+ * @api private
+ */
+
+function decode(path){
+  try {
+    return decodeURIComponent(path);
+  } catch (err) {
+    return err;
+  }
+}
+
 /**
  * Attempt to tranfer the requested file to `res`.
  *
@@ -103,9 +121,11 @@ var send = exports.send = function(req, res, next, options){
 
   // parse url
   var url = parse(options.path)
-    , path = decodeURIComponent(url.pathname)
+    , path = decode(url.pathname)
     , type;
 
+  if ('URIError: URI malformed' == path) return next(utils.error(400));
+
   // null byte(s)
   if (~path.indexOf('\0')) return next(utils.error(400));
 

diff --git a/test/static.js b/test/static.js
@@ -169,6 +169,14 @@ describe('connect.static()', function(){
     })
   })
 
+  describe('malformedURIs', function(){
+    it('should respond with 400', function(done){
+      app.request()
+      .get('/%')
+      .expect(400, done)
+    });
+  })
+
   // TODO: node bug
   // describe('on ENAMETOOLONG', function(){
   //   it('should next()', function(done){
@@ -179,4 +187,4 @@ describe('connect.static()', function(){
   //     .expect(404, done);
   //   })
   // })
-})
+})