mirror of https://github.com/calzoneman/sync.git
Proper fix for path traversal
This commit is contained in:
parent
5dfd9ad310
commit
34e55d6fad
|
@ -2,7 +2,7 @@
|
||||||
"author": "Calvin Montgomery",
|
"author": "Calvin Montgomery",
|
||||||
"name": "CyTube",
|
"name": "CyTube",
|
||||||
"description": "Online media synchronizer and chat",
|
"description": "Online media synchronizer and chat",
|
||||||
"version": "2.1.1",
|
"version": "2.1.2",
|
||||||
"repository": {
|
"repository": {
|
||||||
"url": "http://github.com/calzoneman/sync"
|
"url": "http://github.com/calzoneman/sync"
|
||||||
},
|
},
|
||||||
|
|
29
server.js
29
server.js
|
@ -5,7 +5,7 @@ var Logger = require("./logger");
|
||||||
var Channel = require("./channel");
|
var Channel = require("./channel");
|
||||||
var User = require("./user");
|
var User = require("./user");
|
||||||
|
|
||||||
const VERSION = "2.1.1";
|
const VERSION = "2.1.2";
|
||||||
|
|
||||||
function getIP(req) {
|
function getIP(req) {
|
||||||
var raw = req.connection.remoteAddress;
|
var raw = req.connection.remoteAddress;
|
||||||
|
@ -93,15 +93,24 @@ var Server = {
|
||||||
|
|
||||||
// default path
|
// default path
|
||||||
this.app.get("/:thing(*)", function (req, res, next) {
|
this.app.get("/:thing(*)", function (req, res, next) {
|
||||||
while(req.params.thing.indexOf("%25") != -1)
|
var opts = {
|
||||||
req.params.thing = decodeURIComponent(req.params.thing);
|
root: __dirname + "/www",
|
||||||
req.params.thing = decodeURIComponent(req.params.thing);
|
}
|
||||||
var root = __dirname + "/www/",
|
res.sendfile(req.params.thing, opts, function (err) {
|
||||||
answer = path.resolve (__dirname + "/www/", req.params.thing);
|
if(err) {
|
||||||
if (answer.indexOf (root) != 0)
|
// Damn path traversal attacks
|
||||||
res.send (404);
|
if(req.params.thing.indexOf("%2e") != -1) {
|
||||||
else
|
res.send("Don't try that again, I'll ban you");
|
||||||
res.sendfile(__dirname + "/www/" + req.params.thing);
|
Logger.syslog.log("WARNING: Attempted path "+
|
||||||
|
"traversal from /" + getIP(req));
|
||||||
|
Logger.syslog.log("URL: " + req.url);
|
||||||
|
}
|
||||||
|
// Something actually went wrong
|
||||||
|
else {
|
||||||
|
res.send(500);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
// fallback
|
// fallback
|
||||||
|
|
Loading…
Reference in New Issue