2 files changed, 4 insertions, 1 deletions
diff --git a/cli/actions.js b/cli/actions.js
index 59f0714..d10e154 100644
--- a/cli/actions.js
+++ b/cli/actions.js
@@ -187,6 +187,7 @@ function del(filePath) {
    superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {
        if (error && error.status === 401) return console.log('Login failed');
        if (error && error.status === 404) return console.log('No such file or directory');
+        if (error && error.status === 403) return console.log('No such file or directory');
        if (error) return console.log('Failed', result ? result.body : error);
        console.log('Success. Removed %s files.', result.body.entries.length);
diff --git a/src/files.js b/src/files.js
index d12782d..c2a4e0f 100644
--- a/src/files.js
+++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
    var filePath = req.params[0];
    var absoluteFilePath = getAbsolutePath(filePath);
    if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
-    if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));
+    // absoltueFilePath has to have the base path prepended
+    if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
    fs.stat(absoluteFilePath, function (error, result) {
        if (error) return next(new HttpError(404, error));

diff --git a/cli/actions.js b/cli/actions.js index 59f0714..d10e154 100644 --- a/cli/actions.js +++ b/cli/actions.js
@@ -187,6 +187,7 @@ function del(filePath) {
187	superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {	187	superagent.del(config.server() + API + relativeFilePath).query(gQuery).end(function (error, result) {
188	if (error && error.status === 401) return console.log('Login failed');	188	if (error && error.status === 401) return console.log('Login failed');
189	if (error && error.status === 404) return console.log('No such file or directory');	189	if (error && error.status === 404) return console.log('No such file or directory');
		190	if (error && error.status === 403) return console.log('No such file or directory');
190	if (error) return console.log('Failed', result ? result.body : error);	191	if (error) return console.log('Failed', result ? result.body : error);
191		192
192	console.log('Success. Removed %s files.', result.body.entries.length);	193	console.log('Success. Removed %s files.', result.body.entries.length);


diff --git a/src/files.js b/src/files.js index d12782d..c2a4e0f 100644 --- a/src/files.js +++ b/src/files.js
@@ -106,7 +106,9 @@ function del(req, res, next) {
106	var filePath = req.params[0];	106	var filePath = req.params[0];
107	var absoluteFilePath = getAbsolutePath(filePath);	107	var absoluteFilePath = getAbsolutePath(filePath);
108	if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));	108	if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
109	if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden'));	109
		110	// absoltueFilePath has to have the base path prepended
		111	if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden'));
110		112
111	fs.stat(absoluteFilePath, function (error, result) {	113	fs.stat(absoluteFilePath, function (error, result) {
112	if (error) return next(new HttpError(404, error));	114	if (error) return next(new HttpError(404, error));