Express: response.sendfile() fails with Error: Forbidden with path includes a symlink

Created on 10 Jan 2013 · 4Comments · Source: expressjs/express

here's the stack:

Error: Forbidden
at SendStream.error (/Users/jlage/Development/web/server/bootstrap/node_modules/express/node_modules/send/lib/send.js:145:16)
at SendStream.pipe (/Users/jlage/Development/web/server/bootstrap/node_modules/express/node_modules/send/lib/send.js:307:39)
at ServerResponse.res.sendfile (/Users/jlage/Development/web/server/bootstrap/node_modules/express/lib/response.js:336:8)
at module.exports.load_funds_list (/Users/jlage/Development/web/amber/controllers/ref-data.js:23:12)
at Object.oncomplete (fs.js:297:15)

Source

jefflage

Most helpful comment

That error comes from the path containing .. (up parent directory) and you didn't supply the root option. Try using sendfile like so:

res.sendfile(path, {'root': '/path/to/root/directory'});

The root option should be the directory you want to serve the files from. It is intended to prevent the path from containing things like .. so a user may get the server to serve a file outside that directory.

dougwilson on 10 Jan 2013

👍5 🚀1

All 4 comments

That error comes from the path containing .. (up parent directory) and you didn't supply the root option. Try using sendfile like so:

res.sendfile(path, {'root': '/path/to/root/directory'});

dougwilson on 10 Jan 2013

👍5 🚀1

are you saying that it explicitly prevents you from using .. in any case?

jefflage on 10 Jan 2013

Yes, path cannot contain .. unless you specify the root option.

dougwilson on 10 Jan 2013

yeah if you're not restricting with a root dir it's a potential security issue. You can resolve() to absolute paths to get around that but if you're accepting user input in those cases that's still a flaw, but if you're not then no big deal!