var fs = require('fs'),
path = require('path'),
- ejs = require('ejs'),
rm = require('del'),
debug = require('debug')('files'),
mkdirp = require('mkdirp'),
});
}
-function render(view, options) {
- return ejs.render(fs.readFileSync(view, 'utf8'), options);
-}
-
function getAbsolutePath(filePath) {
- var absoluteFilePath = path.resolve(gBasePath, filePath);
+ var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
if (absoluteFilePath.indexOf(gBasePath) !== 0) return null;
return absoluteFilePath;
debug('get', absoluteFilePath);
if (result.isFile()) return res.sendFile(absoluteFilePath);
- if (result.isDirectory()) return res.status(200).send({ entries: fs.readdirSync(absoluteFilePath) });
+ if (result.isDirectory()) return res.status(222).send({ entries: fs.readdirSync(absoluteFilePath) });
return next(new HttpError(500, 'unsupported type'));
});
var filePath = req.params[0];
var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
- if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+ // absoltueFilePath has to have the base path prepended
+ if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
fs.stat(absoluteFilePath, function (error, result) {
if (error) return next(new HttpError(404, error));