diff options
| author | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 19:04:23 +0100 |
|---|---|---|
| committer | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 19:04:23 +0100 |
| commit | aa88a75382d0f5ff2929768a412d8ec64dfc6296 (patch) | |
| tree | 63b11e23dacec1ada7fd512ab5c8ce5d5adb568e /src | |
| parent | 04bc2989d966224126196280a529225d2bd115eb (diff) | |
| download | Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.tar.gz Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.tar.zst Surfer-aa88a75382d0f5ff2929768a412d8ec64dfc6296.zip | |
protect _admin/
Diffstat (limited to 'src')
| -rw-r--r-- | src/files.js | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/src/files.js b/src/files.js index 8a4115f..99b3aa2 100644 --- a/src/files.js +++ b/src/files.js | |||
| @@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) { | |||
| 61 | }); | 61 | }); |
| 62 | } | 62 | } |
| 63 | 63 | ||
| 64 | function isProtected(targetPath) { | ||
| 65 | return targetPath.indexOf(getAbsolutePath('_admin')) === 0; | ||
| 66 | } | ||
| 67 | |||
| 64 | function getAbsolutePath(filePath) { | 68 | function getAbsolutePath(filePath) { |
| 65 | var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); | 69 | var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); |
| 66 | 70 | ||
| @@ -114,7 +118,7 @@ function put(req, res, next) { | |||
| 114 | if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); | 118 | if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); |
| 115 | 119 | ||
| 116 | var absoluteFilePath = getAbsolutePath(filePath); | 120 | var absoluteFilePath = getAbsolutePath(filePath); |
| 117 | if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed')); | 121 | if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); |
| 118 | 122 | ||
| 119 | fs.stat(absoluteFilePath, function (error, result) { | 123 | fs.stat(absoluteFilePath, function (error, result) { |
| 120 | if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); | 124 | if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); |
| @@ -148,6 +152,8 @@ function del(req, res, next) { | |||
| 148 | var absoluteFilePath = getAbsolutePath(filePath); | 152 | var absoluteFilePath = getAbsolutePath(filePath); |
| 149 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); | 153 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); |
| 150 | 154 | ||
| 155 | if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); | ||
| 156 | |||
| 151 | // absoltueFilePath has to have the base path prepended | 157 | // absoltueFilePath has to have the base path prepended |
| 152 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); | 158 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); |
| 153 | 159 | ||