aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--app/index.html6
-rw-r--r--cli/actions.js9
-rw-r--r--src/files.js8
3 files changed, 15 insertions, 8 deletions
diff --git a/app/index.html b/app/index.html
index 99ae525..f6561a3 100644
--- a/app/index.html
+++ b/app/index.html
@@ -119,6 +119,9 @@
119 </li> 119 </li>
120 </ol> 120 </ol>
121 </div> 121 </div>
122 <div class="col-lg-12" style="text-align: right;">
123 <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
124 </div>
122 <div class="col-lg-12"> 125 <div class="col-lg-12">
123 <table class="table table-hover table-condensed"> 126 <table class="table table-hover table-condensed">
124 <thead> 127 <thead>
@@ -150,9 +153,6 @@
150 </tbody> 153 </tbody>
151 </table> 154 </table>
152 </div> 155 </div>
153 <div class="col-lg-12" style="text-align: right;">
154 <button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
155 </div>
156 </div> 156 </div>
157 </div> 157 </div>
158 158
diff --git a/cli/actions.js b/cli/actions.js
index 6f8faea..69ffa10 100644
--- a/cli/actions.js
+++ b/cli/actions.js
@@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) {
119 console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan); 119 console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan);
120 120
121 superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) { 121 superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) {
122 if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed'));
123 if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
122 if (error) return callback(error); 124 if (error) return callback(error);
123 if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
124 125
125 console.log('Uploaded to ' + config.server() + destinationPath); 126 console.log('Uploaded to ' + config.server() + destinationPath);
126 127
@@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) {
128 }); 129 });
129 }, function (error) { 130 }, function (error) {
130 if (error) { 131 if (error) {
131 console.log('Failed to put file.', error); 132 console.log('Failed to put file.', error.message.red);
132 process.exit(1); 133 process.exit(1);
133 } 134 }
134 135
@@ -143,9 +144,9 @@ function get(filePath) {
143 filePath = filePath || '/'; 144 filePath = filePath || '/';
144 145
145 request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) { 146 request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) {
147 if (result && result.statusCode === 401) return console.log('Login failed');
148 if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
146 if (error) return console.error(error); 149 if (error) return console.error(error);
147 if (result.statusCode === 401) return console.log('Login failed');
148 if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
149 150
150 // 222 indicates directory listing 151 // 222 indicates directory listing
151 if (result.statusCode === 222) { 152 if (result.statusCode === 222) {
diff --git a/src/files.js b/src/files.js
index 8a4115f..99b3aa2 100644
--- a/src/files.js
+++ b/src/files.js
@@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) {
61 }); 61 });
62} 62}
63 63
64function isProtected(targetPath) {
65 return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
66}
67
64function getAbsolutePath(filePath) { 68function getAbsolutePath(filePath) {
65 var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); 69 var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
66 70
@@ -114,7 +118,7 @@ function put(req, res, next) {
114 if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); 118 if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
115 119
116 var absoluteFilePath = getAbsolutePath(filePath); 120 var absoluteFilePath = getAbsolutePath(filePath);
117 if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed')); 121 if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
118 122
119 fs.stat(absoluteFilePath, function (error, result) { 123 fs.stat(absoluteFilePath, function (error, result) {
120 if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); 124 if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
@@ -148,6 +152,8 @@ function del(req, res, next) {
148 var absoluteFilePath = getAbsolutePath(filePath); 152 var absoluteFilePath = getAbsolutePath(filePath);
149 if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); 153 if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
150 154
155 if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
156
151 // absoltueFilePath has to have the base path prepended 157 // absoltueFilePath has to have the base path prepended
152 if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); 158 if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));
153 159
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 14:43:03 +0000