Hacker News new | past | comments | ask | show | jobs | submit login

A simpler fix might be to canonicalize (i.e. no "..") the public folder path and the requested file path and then ensure the public path is a prefix of the other.

Any fix also needs to be sure to resolve any symlinks before doing a prefix check.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact