表示res.send文件抛出禁止错误

Question

我有这个代码:

res.sendfile( '../../temp/index.html' )

但是,它会抛出此错误:

Error: Forbidden
at SendStream.error (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/send/lib/send.js:145:16)
at SendStream.pipe (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/send/lib/send.js:307:39)
at ServerResponse.res.sendfile (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/response.js:339:8)
at exports.boot (/Users/Oliver/Development/Personal/Reader/server/config/routes.js:18:9)
at callbacks (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:161:37)
at param (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:135:11)
at pass (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:142:5)
at Router._dispatch (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:170:5)
at Object.router (/Users/Oliver/Development/Personal/Reader/node_modules/express/lib/router/index.js:33:10)
at next (/Users/Oliver/Development/Personal/Reader/node_modules/express/node_modules/connect/lib/proto.js:199:15)

谁能告诉我为什么会这样？

Answer 1

我相信这是因为相对的道路; "../"被认为是恶意的.首先解析本地路径,然后调用res.sendfile.您可以path.resolve事先解决路径.

var path = require('path');
res.sendFile(path.resolve('temp/index.html'));

Answer 2

这个答案汇集了其他答案/评论的信息.

这取决于您是否要包含与进程工作目录(cwd)或文件目录相关的内容.两者都使用该path.resolve功能(放在var path = require('path')文件的顶部.

• 相对于cwd: path.resolve('../../some/path/to/file.txt');
• 相对于文件: path.resolve(__dirname+'../../some/path/to/file.txt');

从阅读@ Joe的评论链接,如果您接受路径的用户输入(例如,sendfile('../.ssh/id_rsa')可能是黑客的第一次尝试),听起来相对路径是安全风险.

Answer 3

该Express文档建议做一个不同的方式,在我看来它使晚于当前的解决方案更有意义.

res.sendFile('index.html', {root: './temp'});

root选项似乎设置./为项目的根目录.因此,我无法完全确定您的文件位置与项目根目录相关,但如果您的临时文件夹存在,则可以将其设置./temp为您要发送的文件的根目录.