diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/files.js | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/files.js b/src/files.js index d12782d..c2a4e0f 100644 --- a/src/files.js +++ b/src/files.js | |||
| @@ -106,7 +106,9 @@ function del(req, res, next) { | |||
| 106 | var filePath = req.params[0]; | 106 | var filePath = req.params[0]; |
| 107 | var absoluteFilePath = getAbsolutePath(filePath); | 107 | var absoluteFilePath = getAbsolutePath(filePath); |
| 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); | 108 | if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); |
| 109 | if (absoluteFilePath.slice(gBasePath.length) === '') return next(new HttpError(403, 'Forbidden')); | 109 | |
| 110 | // absoltueFilePath has to have the base path prepended | ||
| 111 | if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(403, 'Forbidden')); | ||
| 110 | 112 | ||
| 111 | fs.stat(absoluteFilePath, function (error, result) { | 113 | fs.stat(absoluteFilePath, function (error, result) { |
| 112 | if (error) return next(new HttpError(404, error)); | 114 | if (error) return next(new HttpError(404, error)); |