From d755925f749b88157e0935a7fa3c3ed94480292e Mon Sep 17 00:00:00 2001 From: Johannes Zellner Date: Tue, 1 Mar 2016 12:42:13 +0100 Subject: [PATCH] Properly check for absolute file paths --- cli/actions.js | 1 + src/files.js | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/cli/actions.js b/cli/actions.js index 59f0714..d10e154 100644 --- a/cli/actions.js +++ b/cli/actions.js @@ -187,6 +187,7 @@ function del(filePath) { superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) { if (error && error.status === 401) return console.log('Login failed'); if (error && error.status === 404) return console.log('No such file or directory'); + if (error && error.status === 403) return console.log('No such file or directory'); if (error) return console.log('Failed', result ? result.body : error); console.log('Success. Removed %s files.', result.body.entries.length); diff --git a/src/files.js b/src/files.js index d12782d..c2a4e0f 100644 --- a/src/files.js +++ b/src/files.js @@ -106,7 +106,9 @@ function del(req, res, next) { var filePath = req.params[0]; var absoluteFilePath = getAbsolutePath(filePath); if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); - if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden')); + + // absoltueFilePath has to have the base path prepended + if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden')); fs.stat(absoluteFilePath, function (error, result) { if (error) return next(new HttpError(404, error)); -- 2.41.0