</li>
</ol>
</div>
+ <div class="col-lg-12" style="text-align: right;">
+ <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
+ </div>
<div class="col-lg-12">
<table class="table table-hover table-condensed">
<thead>
</tbody>
</table>
</div>
- <div class="col-lg-12" style="text-align: right;">
- <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
- </div>
</div>
</div>
console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan);
superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) {
+ if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed'));
+ if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
if (error) return callback(error);
- if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
console.log('Uploaded to ' + config.server() + destinationPath);
});
}, function (error) {
if (error) {
- console.log('Failed to put file.', error);
+ console.log('Failed to put file.', error.message.red);
process.exit(1);
}
filePath = filePath || '/';
request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) {
+ if (result && result.statusCode === 401) return console.log('Login failed');
+ if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
if (error) return console.error(error);
- if (result.statusCode === 401) return console.log('Login failed');
- if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
// 222 indicates directory listing
if (result.statusCode === 222) {
});
}
+function isProtected(targetPath) {
+ return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
+}
+
function getAbsolutePath(filePath) {
var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
var absoluteFilePath = getAbsolutePath(filePath);
- if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed'));
+ if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
fs.stat(absoluteFilePath, function (error, result) {
if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
+ if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
+
// absoltueFilePath has to have the base path prepended
if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));
projects / perso / Immae / Projets / Nodejs / Surfer.git / commitdiff
