superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {
if (error && error.status === 401) return console.log('Login failed');
if (error && error.status === 404) return console.log('No such file or directory');
+ if (error && error.status === 403) return console.log('No such file or directory');
if (error) return console.log('Failed', result ? result.body : error);
console.log('Success. Removed %s files.', result.body.entries.length);
var filePath = req.params[0];
var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
- if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+ // absoltueFilePath has to have the base path prepended
+ if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
fs.stat(absoluteFilePath, function (error, result) {
if (error) return next(new HttpError(404, error));