diff options
| author | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 12:42:13 +0100 |
|---|---|---|
| committer | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 12:42:13 +0100 |
| commit | d755925f749b88157e0935a7fa3c3ed94480292e (patch) | |
| tree | 086d32ac5290cd2c92567ff383bf68d3660c5336 | |
| parent | 24545229fc52aa6d948f9081472e65c7f17eaa14 (diff) | |
| download | Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.tar.gz Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.tar.zst Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.zip | |
Properly check for absolute file paths
| -rw-r--r-- | cli/actions.js | 1 | ||||
| -rw-r--r-- | src/files.js | 4 |
2 files changed, 4 insertions, 1 deletions
diff --git a/cli/actions.js b/cli/actions.js index 59f0714..d10e154 100644 --- a/cli/actions.js +++ b/cli/actions.js | |||
| @@ -187,6 +187,7 @@ function del(filePath) { | |||
| 187 | superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) { | 187 | superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) { |
| 188 | if (error && error.status === 401) return console.log('Login failed'); | 188 | if (error && error.status === 401) return console.log('Login failed'); |
| 189 | if (error && error.status === 404) return console.log('No such file or directory'); | 189 | if (error && error.status === 404) return console.log('No such file or directory'); |
| 190 | if (error && error.status === 403) return console.log('No such file or directory'); | ||
| 190 | if (error) return console.log('Failed', result ? result.body : error); | 191 | if (error) return console.log('Failed', result ? result.body : error); |
| 191 | 192 | ||
| 192 | console.log('Success. Removed %s files.', result.body.entries.length); | 193 | console.log('Success. Removed %s files.', result.body.entries.length); |
diff --git a/src/files.js b/src/files.js index d12782d..c2a4e0f 100644 --- a/src/files.js +++ b/src/files.js | |||
| @@ -106,7 +106,9 @@ function del(req, res, next) { | |||
| 106 | var filePath = req.params[0]; | 106 | var filePath = req.params[0]; |
| 107 | var absoluteFilePath = getAbsolutePath(filePath); | 107 | var absoluteFilePath = getAbsolutePath(filePath); |
| 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); | 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); |
| 109 | if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden')); | 109 | |
| 110 | // absoltueFilePath has to have the base path prepended | ||
| 111 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden')); | ||
| 110 | 112 | ||
| 111 | fs.stat(absoluteFilePath, function (error, result) { | 113 | fs.stat(absoluteFilePath, function (error, result) { |
| 112 | if (error) return next(new HttpError(404, error)); | 114 | if (error) return next(new HttpError(404, error)); |