From f71244e6fe0aa258ca3aff876961f2ebc0d6a1ce Mon Sep 17 00:00:00 2001 From: Aaron Heckmann Date: Thu, 23 Feb 2012 09:12:59 -0500 Subject: [PATCH 1/2] malformedURIs return 400 --- lib/middleware/static.js | 8 +++++++- test/static.js | 8 ++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/lib/middleware/static.js b/lib/middleware/static.js index bbe62e94e..4a1ec66c1 100644 --- a/lib/middleware/static.js +++ b/lib/middleware/static.js @@ -103,9 +103,15 @@ var send = exports.send = function(req, res, next, options){ // parse url var url = parse(options.path) - , path = decodeURIComponent(url.pathname) + , path , type; + try { + path = decodeURIComponent(url.pathname) + } catch (_) { + return next(utils.error(400)); + } + // null byte(s) if (~path.indexOf('\0')) return next(utils.error(400)); diff --git a/test/static.js b/test/static.js index bc2bf93e0..dab2ef55e 100644 --- a/test/static.js +++ b/test/static.js @@ -169,6 +169,14 @@ describe('connect.static()', function(){ }) }) + describe('malformedURIs', function(){ + it('should respond with 400', function(done){ + app.request() + .get('/%') + .expect(400, done) + }); + }) + // TODO: node bug // describe('on ENAMETOOLONG', function(){ // it('should next()', function(done){ From 9a20b6c9028e25e26711927b4786fb9ed3e4a584 Mon Sep 17 00:00:00 2001 From: Aaron Heckmann Date: Thu, 23 Feb 2012 10:45:38 -0500 Subject: [PATCH 2/2] sidestep v8 deopt only will deoptimize decode() instead of all of send() due to the try/catch --- lib/middleware/static.js | 26 ++++++++++++++++++++------ test/static.js | 2 +- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/lib/middleware/static.js b/lib/middleware/static.js index 4a1ec66c1..c4bcbb5a5 100644 --- a/lib/middleware/static.js +++ b/lib/middleware/static.js @@ -69,6 +69,24 @@ exports = module.exports = function static(root, options){ exports.mime = mime; +/** + * decodeURIComponent. + * + * Allows V8 to only deoptimize this fn instead of all + * of send(). + * + * @param {String} path + * @api private + */ + +function decode(path){ + try { + return decodeURIComponent(path); + } catch (err) { + return err; + } +} + /** * Attempt to tranfer the requested file to `res`. * @@ -103,14 +121,10 @@ var send = exports.send = function(req, res, next, options){ // parse url var url = parse(options.path) - , path + , path = decode(url.pathname) , type; - try { - path = decodeURIComponent(url.pathname) - } catch (_) { - return next(utils.error(400)); - } + if ('URIError: URI malformed' == path) return next(utils.error(400)); // null byte(s) if (~path.indexOf('\0')) return next(utils.error(400)); diff --git a/test/static.js b/test/static.js index dab2ef55e..74e2b04dc 100644 --- a/test/static.js +++ b/test/static.js @@ -187,4 +187,4 @@ describe('connect.static()', function(){ // .expect(404, done); // }) // }) -}) \ No newline at end of file +})