diff options
| author | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 19:04:23 +0100 |
|---|---|---|
| committer | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 19:04:23 +0100 |
| commit | aa88a75382d0f5ff2929768a412d8ec64dfc6296 (patch) | |
| tree | 63b11e23dacec1ada7fd512ab5c8ce5d5adb568e | |
| parent | 04bc2989d966224126196280a529225d2bd115eb (diff) | |
| download | Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.tar.gz Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.tar.zst Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.zip | |
protect _admin/
| -rw-r--r-- | app/index.html | 6 | ||||
| -rw-r--r-- | cli/actions.js | 9 | ||||
| -rw-r--r-- | src/files.js | 8 |
3 files changed, 15 insertions, 8 deletions
diff --git a/app/index.html b/app/index.html index 99ae525..f6561a3 100644 --- a/app/index.html +++ b/app/index.html | |||
| @@ -119,6 +119,9 @@ | |||
| 119 | </li> | 119 | </li> |
| 120 | </ol> | 120 | </ol> |
| 121 | </div> | 121 | </div> |
| 122 | <div class="col-lg-12" style="text-align: right;"> | ||
| 123 | <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button> | ||
| 124 | </div> | ||
| 122 | <div class="col-lg-12"> | 125 | <div class="col-lg-12"> |
| 123 | <table class="table table-hover table-condensed"> | 126 | <table class="table table-hover table-condensed"> |
| 124 | <thead> | 127 | <thead> |
| @@ -150,9 +153,6 @@ | |||
| 150 | </tbody> | 153 | </tbody> |
| 151 | </table> | 154 | </table> |
| 152 | </div> | 155 | </div> |
| 153 | <div class="col-lg-12" style="text-align: right;"> | ||
| 154 | <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button> | ||
| 155 | </div> | ||
| 156 | </div> | 156 | </div> |
| 157 | </div> | 157 | </div> |
| 158 | 158 | ||
diff --git a/cli/actions.js b/cli/actions.js index 6f8faea..69ffa10 100644 --- a/cli/actions.js +++ b/cli/actions.js | |||
| @@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) { | |||
| 119 | console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan); | 119 | console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan); |
| 120 | 120 | ||
| 121 | superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) { | 121 | superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) { |
| 122 | if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed')); | ||
| 123 | if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode)); | ||
| 122 | if (error) return callback(error); | 124 | if (error) return callback(error); |
| 123 | if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode)); | ||
| 124 | 125 | ||
| 125 | console.log('Uploaded to ' + config.server() + destinationPath); | 126 | console.log('Uploaded to ' + config.server() + destinationPath); |
| 126 | 127 | ||
| @@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) { | |||
| 128 | }); | 129 | }); |
| 129 | }, function (error) { | 130 | }, function (error) { |
| 130 | if (error) { | 131 | if (error) { |
| 131 | console.log('Failed to put file.', error); | 132 | console.log('Failed to put file.', error.message.red); |
| 132 | process.exit(1); | 133 | process.exit(1); |
| 133 | } | 134 | } |
| 134 | 135 | ||
| @@ -143,9 +144,9 @@ function get(filePath) { | |||
| 143 | filePath = filePath || '/'; | 144 | filePath = filePath || '/'; |
| 144 | 145 | ||
| 145 | request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) { | 146 | request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) { |
| 147 | if (result && result.statusCode === 401) return console.log('Login failed'); | ||
| 148 | if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow); | ||
| 146 | if (error) return console.error(error); | 149 | if (error) return console.error(error); |
| 147 | if (result.statusCode === 401) return console.log('Login failed'); | ||
| 148 | if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow); | ||
| 149 | 150 | ||
| 150 | // 222 indicates directory listing | 151 | // 222 indicates directory listing |
| 151 | if (result.statusCode === 222) { | 152 | if (result.statusCode === 222) { |
diff --git a/src/files.js b/src/files.js index 8a4115f..99b3aa2 100644 --- a/src/files.js +++ b/src/files.js | |||
| @@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) { | |||
| 61 | }); | 61 | }); |
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | function isProtected(targetPath) { | ||
| 65 | return targetPath.indexOf(getAbsolutePath('_admin')) === 0; | ||
| 66 | } | ||
| 67 | |||
| 64 | function getAbsolutePath(filePath) { | 68 | function getAbsolutePath(filePath) { |
| 65 | var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); | 69 | var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); |
| 66 | 70 | ||
| @@ -114,7 +118,7 @@ function put(req, res, next) { | |||
| 114 | if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); | 118 | if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); |
| 115 | 119 | ||
| 116 | var absoluteFilePath = getAbsolutePath(filePath); | 120 | var absoluteFilePath = getAbsolutePath(filePath); |
| 117 | if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed')); | 121 | if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); |
| 118 | 122 | ||
| 119 | fs.stat(absoluteFilePath, function (error, result) { | 123 | fs.stat(absoluteFilePath, function (error, result) { |
| 120 | if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); | 124 | if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); |
| @@ -148,6 +152,8 @@ function del(req, res, next) { | |||
| 148 | var absoluteFilePath = getAbsolutePath(filePath); | 152 | var absoluteFilePath = getAbsolutePath(filePath); |
| 149 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); | 153 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); |
| 150 | 154 | ||
| 155 | if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); | ||
| 156 | |||
| 151 | // absoltueFilePath has to have the base path prepended | 157 | // absoltueFilePath has to have the base path prepended |
| 152 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); | 158 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); |
| 153 | 159 | ||