node.js Express res.sendfile 抛出禁止错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/14594121/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Express res.sendfile throwing forbidden error
提问by Joe
I have this code:
我有这个代码:
res.sendfile( '../../temp/index.html' )
However, it throws this error:
但是,它会引发此错误:
Error: Forbidden
at SendStream.error (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/send/lib/send.js:145:16)
at SendStream.pipe (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/send/lib/send.js:307:39)
at ServerResponse.res.sendfile (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/response.js:339:8)
at exports.boot (/Users/Oliver/Development/Personal/Reader/server/config/routes.js:18:9)
at callbacks (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:161:37)
at param (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:135:11)
at pass (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:142:5)
at Router._dispatch (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:170:5)
at Object.router (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:33:10)
at next (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/connect/lib/proto.js:199:15)
Can anyone tell me why this might be?
谁能告诉我为什么会这样?
回答by Joe
I believe it's because of the relative path; the "../" is considered malicious. Resolve the local path first, then call res.sendfile. You can resolve the path with path.resolvebeforehand.
我相信这是因为相对路径;“../”被认为是恶意的。先解析本地路径,然后调用res.sendfile. 您可以path.resolve预先解析路径。
var path = require('path');
res.sendFile(path.resolve('temp/index.html'));
回答by derekdreery
This answer gathers together the info from the other answers/comments.
这个答案收集了其他答案/评论中的信息。
It depends whether you want to include something relative to the process working directory (cwd) or the file directory. Both use the path.resolvefunction (put var path = require('path')at the top of the file.
这取决于您是否要包含与进程工作目录 (cwd) 或文件目录相关的内容。两者都使用该path.resolve函数(放在var path = require('path')文件的顶部。
- relative to cwd:
path.resolve('../../some/path/to/file.txt'); - relative to file:
path.resolve(__dirname+'../../some/path/to/file.txt');
- 相对于 cwd:
path.resolve('../../some/path/to/file.txt'); - 相对于文件:
path.resolve(__dirname+'../../some/path/to/file.txt');
From reading the link from @Joe's comment, it sounds like relative paths are a security risk if you accept user input for the path (e.g. sendfile('../.ssh/id_rsa')might be a hacker's first try).
通过阅读@Joe 评论中的链接,如果您接受用户对路径的输入(例如,sendfile('../.ssh/id_rsa')可能是黑客的第一次尝试),那么相对路径似乎存在安全风险。
回答by tenor528
The Express documentationsuggests doing it a different way, and in my opinion it makes more sense later than the current solution.
该Express文档建议做一个不同的方式,在我看来,它更有意义比当前解决方案更高版本。
res.sendFile('index.html', {root: './temp'});
res.sendFile('index.html', {root: './temp'});
The root option seems to set ./as the root directory of your project. So I cannot fully tell where you file is in relation to the project root, but if your temp folder is there, you can set ./tempas the root for the file you're sending.
root 选项似乎设置./为项目的根目录。因此,我无法完全确定您的文件相对于项目根目录的位置,但是如果您的临时文件夹在那里,您可以将其设置./temp为要发送的文件的根目录。
