X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=src%2Ffiles.js;h=c2a4e0f570e76032ee0ca17046637a2621dae355;hb=d755925f749b88157e0935a7fa3c3ed94480292e;hp=d12782d8c001f5fceefe1b151b1214ce3f13dd94;hpb=24545229fc52aa6d948f9081472e65c7f17eaa14;p=perso%2FImmae%2FProjets%2FNodejs%2FSurfer.git

diff --git a/src/files.js b/src/files.js
index d12782d..c2a4e0f 100644
--- a/src/files.js
+++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
     var filePath = req.params[0];
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error) return next(new HttpError(404, error));