Proper fix for path traversal

package.json

@@ -2,7 +2,7 @@
     "author": "Calvin Montgomery",
     "name": "CyTube",
     "description": "Online media synchronizer and chat",
-    "version": "2.1.1",
+    "version": "2.1.2",
     "repository": {
         "url": "http://github.com/calzoneman/sync"
     },

server.js

@@ -5,7 +5,7 @@ var Logger = require("./logger");
 var Channel = require("./channel");
 var User = require("./user");
 
-const VERSION = "2.1.1";
+const VERSION = "2.1.2";
 
 function getIP(req) {
     var raw = req.connection.remoteAddress;
@@ -93,15 +93,24 @@ var Server = {
 
         // default path
         this.app.get("/:thing(*)", function (req, res, next) {
-            while(req.params.thing.indexOf("%25") != -1)	
+            var opts = {
-		    req.params.thing = decodeURIComponent(req.params.thing);
+                root: __dirname + "/www",
-	    req.params.thing = decodeURIComponent(req.params.thing);
+            }
-            var root = __dirname + "/www/",
+            res.sendfile(req.params.thing, opts, function (err) {
-                answer = path.resolve (__dirname + "/www/", req.params.thing);
+                if(err) {
-            if (answer.indexOf (root) != 0)
+                    // Damn path traversal attacks
-                res.send (404);
+                    if(req.params.thing.indexOf("%2e") != -1) {
-            else
+                        res.send("Don't try that again, I'll ban you");
-                res.sendfile(__dirname + "/www/" + req.params.thing);
+                        Logger.syslog.log("WARNING: Attempted path "+
+                                          "traversal from /" + getIP(req));
+                        Logger.syslog.log("URL: " + req.url);
+                    }
+                    // Something actually went wrong
+                    else {
+                        res.send(500);
+                    }
+                }
+            });
         });
 
         // fallback