From aa88a75382d0f5ff2929768a412d8ec64dfc6296 Mon Sep 17 00:00:00 2001 From: Johannes Zellner Date: Tue, 1 Mar 2016 19:04:23 +0100 Subject: protect _admin/ --- app/index.html | 6 +++--- cli/actions.js | 9 +++++---- src/files.js | 8 +++++++- 3 files changed, 15 insertions(+), 8 deletions(-) diff --git a/app/index.html b/app/index.html index 99ae525..f6561a3 100644 --- a/app/index.html +++ b/app/index.html @@ -119,6 +119,9 @@ +
+ +
@@ -150,9 +153,6 @@
-
- -
diff --git a/cli/actions.js b/cli/actions.js index 6f8faea..69ffa10 100644 --- a/cli/actions.js +++ b/cli/actions.js @@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) { console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan); superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) { + if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed')); + if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode)); if (error) return callback(error); - if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode)); console.log('Uploaded to ' + config.server() + destinationPath); @@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) { }); }, function (error) { if (error) { - console.log('Failed to put file.', error); + console.log('Failed to put file.', error.message.red); process.exit(1); } @@ -143,9 +144,9 @@ function get(filePath) { filePath = filePath || '/'; request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) { + if (result && result.statusCode === 401) return console.log('Login failed'); + if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow); if (error) return console.error(error); - if (result.statusCode === 401) return console.log('Login failed'); - if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow); // 222 indicates directory listing if (result.statusCode === 222) { diff --git a/src/files.js b/src/files.js index 8a4115f..99b3aa2 100644 --- a/src/files.js +++ b/src/files.js @@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) { }); } +function isProtected(targetPath) { + return targetPath.indexOf(getAbsolutePath('_admin')) === 0; +} + function getAbsolutePath(filePath) { var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); @@ -114,7 +118,7 @@ function put(req, res, next) { if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); var absoluteFilePath = getAbsolutePath(filePath); - if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed')); + if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); fs.stat(absoluteFilePath, function (error, result) { if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); @@ -148,6 +152,8 @@ function del(req, res, next) { var absoluteFilePath = getAbsolutePath(filePath); if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); + if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed')); + // absoltueFilePath has to have the base path prepended if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); -- cgit v1.2.3