Properly check for absolute file paths

diff --git a/cli/actions.js b/cli/actions.js
index 59f0714a6da0b088358570982febdf4e8f4a5c12..d10e1545870cd41f67486d4ac45063c45c89dc81 100644 (file)
--- a/cli/actions.js
+++ b/cli/actions.js
@@ -187,6 +187,7 @@ function del(filePath) {
     superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {
         if (error && error.status === 401) return console.log('Login failed');
         if (error && error.status === 404) return console.log('No such file or directory');
+        if (error && error.status === 403) return console.log('No such file or directory');
         if (error) return console.log('Failed', result ? result.body : error);
 
         console.log('Success. Removed %s files.', result.body.entries.length);

diff --git a/src/files.js b/src/files.js
index d12782d8c001f5fceefe1b151b1214ce3f13dd94..c2a4e0f570e76032ee0ca17046637a2621dae355 100644 (file)
--- a/src/files.js
+++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
     var filePath = req.params[0];
     var absoluteFilePath = getAbsolutePath(filePath);
     if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
 
     fs.stat(absoluteFilePath, function (error, result) {
         if (error) return next(new HttpError(404, error));