diff options
| author | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 12:42:13 +0100 |
|---|---|---|
| committer | Johannes Zellner <johannes@nebulon.de> | 2016-03-01 12:42:13 +0100 |
| commit | d755925f749b88157e0935a7fa3c3ed94480292e (patch) | |
| tree | 086d32ac5290cd2c92567ff383bf68d3660c5336 /src | |
| parent | 24545229fc52aa6d948f9081472e65c7f17eaa14 (diff) | |
| download | Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.tar.gz Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.tar.zst Surfer-d755925f749b88157e0935a7fa3c3ed94480292e.zip | |
Properly check for absolute file paths
Diffstat (limited to 'src')
| -rw-r--r-- | src/files.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/files.js b/src/files.js index d12782d..c2a4e0f 100644 --- a/src/files.js +++ b/src/files.js | |||
| @@ -106,7 +106,9 @@ function del(req, res, next) { | |||
| 106 | var filePath = req.params[0]; | 106 | var filePath = req.params[0]; |
| 107 | var absoluteFilePath = getAbsolutePath(filePath); | 107 | var absoluteFilePath = getAbsolutePath(filePath); |
| 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); | 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); |
| 109 | if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden')); | 109 | |
| 110 | // absoltueFilePath has to have the base path prepended | ||
| 111 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden')); | ||
| 110 | 112 | ||
| 111 | fs.stat(absoluteFilePath, function (error, result) { | 113 | fs.stat(absoluteFilePath, function (error, result) { |
| 112 | if (error) return next(new HttpError(404, error)); | 114 | if (error) return next(new HttpError(404, error)); |