The behavior of `Date.parse` is implementation-dependent and hence cannot be relied on for security purposes. In particular, the implementation in Node.js does accept strings such as `../../../etc/foobar-0` as valid (thanks to the trailing digit). The failure to properly validate the filename is not exploitable, as slashes will never be contained in `parts[2]` thanks to the foregoing `split`, but it is probably still better to have a proper validation in place.

5 年之前 · 8d71613e6b
--- a/server/server.js
+++ b/server/server.js
@@ -89,7 +89,7 @@ function handleRequest(request, response) {
 
				
				 	} else if (parts[0] === "download") {
			
 
				
				 		var boardName = encodeURIComponent(parts[1]),
			
 
				
				 			history_file = path.join(config.HISTORY_DIR, "board-" + boardName + ".json");
			
 
				
				-		if (parts.length > 2 && !isNaN(Date.parse(parts[2]))) {
			
 
				
				+		if (parts.length > 2 && /^[0-9A-Za-z.\-]+$/.test(parts[2])) {
			
 
				
				 			history_file += '.' + parts[2] + '.bak';
			
 
				
				 		}
			
 
				
				 		log("download", { "file": history_file });