mirrors/TiddlyWiki5
1
0
Fork 0
mirror of https://github.com/Jermolene/TiddlyWiki5 synced 2024-11-27 03:57:21 +00:00
Code Issues Releases Wiki Activity

Fileserver: Check for valid file paths

Browse Source
This commit is contained in:
jeremy@jermolene.com 2021-08-28 13:16:54 +01:00
parent 124b49456a
commit a67b1b8bb5
1 changed files with 21 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
core/modules/server/routes/get-file.js
View File

@ -21,8 +21,12 @@ exports.handler = function(request,response,state) {
fs = require("fs"), fs = require("fs"),
util = require("util"), util = require("util"),
suppliedFilename = decodeURIComponent(state.params[0]), suppliedFilename = decodeURIComponent(state.params[0]),
filename = path.resolve(state.boot.wikiPath,"files",suppliedFilename), baseFilename = path.resolve(state.boot.wikiPath,"files"),
filename = path.resolve(baseFilename,suppliedFilename),
extension = path.extname(filename); extension = path.extname(filename);
// Check that the filename is inside the wiki files folder
if(path.relative(baseFilename,filename).indexOf("..") !== 0) {
// Send the file
fs.readFile(filename,function(err,content) { fs.readFile(filename,function(err,content) {
var status,content,type = "text/plain"; var status,content,type = "text/plain";
if(err) { if(err) {
@ -36,6 +40,9 @@ exports.handler = function(request,response,state) {
} }
state.sendResponse(status,{"Content-Type": type},content); state.sendResponse(status,{"Content-Type": type},content);
}); });
} else {
state.sendResponse(404,{"Content-Type": "text/plain"},"File '" + suppliedFilename + "' not found");
}
}; };
}()); }());