]> git.immae.eu Git - perso/Immae/Projets/Nodejs/Surfer.git/blobdiff - src/files.js
projects / perso / Immae / Projets / Nodejs / Surfer.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Properly check for absolute file paths
[perso/Immae/Projets/Nodejs/Surfer.git] / src / files.js
diff --git a/src/files.js b/src/files.js
index d12782d8c001f5fceefe1b151b1214ce3f13dd94..c2a4e0f570e76032ee0ca17046637a2621dae355 100644 (file)
--- a/src/files.js
+++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
     var filePath = req.params[0];
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error) return next(new HttpError(404, error));
Surfer is a Simple static file server