deps: send@0.11.1

dougwilson · dougwilson · commit 4d027d698853 · 2015-01-20T20:51:46.000-05:00
diff --git a/HISTORY.md b/HISTORY.md
@@ -2,6 +2,8 @@ unreleased
 ==========
 
   * Fix redirect loop in Node.js 0.11.14
+  * deps: send@0.11.1
+    - Fix root path disclosure
 
 1.8.0 / 2015-01-05
 ==================
diff --git a/package.json b/package.json
@@ -8,7 +8,7 @@
   "dependencies": {
     "escape-html": "1.0.1",
     "parseurl": "~1.3.0",
-    "send": "0.11.0",
+    "send": "0.11.1",
     "utils-merge": "1.0.0"
   },
   "devDependencies": {
diff --git a/test/test.js b/test/test.js
@@ -320,7 +320,7 @@ describe('serveStatic()', function(){
     })
   })
 
-  describe('when traversing passed root', function(){
+  describe('when traversing past root', function(){
     var server;
     before(function () {
       server = createServer();
@@ -336,7 +336,13 @@ describe('serveStatic()', function(){
       request(server)
       .get('/users/%2e%2e/%2e%2e/todo.txt')
       .expect(403, done);
-    });
+    })
+
+    it('should not allow root path disclosure', function (done) {
+      request(server)
+      .get('/users/../../fixtures/todo.txt')
+      .expect(403, done);
+    })
   });
 
   describe('on ENOENT', function(){
