Properly check for absolute file paths

[perso/Immae/Projets/Nodejs/Surfer.git] / src / files.js

diff --git a/src/files.js b/src/files.js
index 3b28d3ff31d6e3fd6378338001df8c9bd34f9dd9..c2a4e0f570e76032ee0ca17046637a2621dae355 100644 (file)
--- a/src/files.js
+++ b/src/files.js
@@ -54,7 +54,7 @@ function copyFile(source, target, cb) {
 }
 
 function getAbsolutePath(filePath) {
-    var absoluteFilePath = path.resolve(gBasePath, filePath);
+    var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
 
     if (absoluteFilePath.indexOf(gBasePath) !== 0) return null;
     return absoluteFilePath;
@@ -71,7 +71,7 @@ function get(req, res, next) {
         debug('get', absoluteFilePath);
 
         if (result.isFile()) return res.sendFile(absoluteFilePath);
-        if (result.isDirectory()) return res.status(200).send({ entries: fs.readdirSync(absoluteFilePath) });
+        if (result.isDirectory()) return res.status(222).send({ entries: fs.readdirSync(absoluteFilePath) });
 
         return next(new HttpError(500, 'unsupported type'));
     });
@@ -106,7 +106,9 @@ function del(req, res, next) {
     var filePath = req.params[0];
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error) return next(new HttpError(404, error));