Proper fix for path traversal

This commit is contained in:
calzoneman 2013-07-27 11:06:49 -04:00
parent 5dfd9ad310
commit 34e55d6fad
2 changed files with 20 additions and 11 deletions

View File

@ -2,7 +2,7 @@
"author": "Calvin Montgomery", "author": "Calvin Montgomery",
"name": "CyTube", "name": "CyTube",
"description": "Online media synchronizer and chat", "description": "Online media synchronizer and chat",
"version": "2.1.1", "version": "2.1.2",
"repository": { "repository": {
"url": "http://github.com/calzoneman/sync" "url": "http://github.com/calzoneman/sync"
}, },

View File

@ -5,7 +5,7 @@ var Logger = require("./logger");
var Channel = require("./channel"); var Channel = require("./channel");
var User = require("./user"); var User = require("./user");
const VERSION = "2.1.1"; const VERSION = "2.1.2";
function getIP(req) { function getIP(req) {
var raw = req.connection.remoteAddress; var raw = req.connection.remoteAddress;
@ -93,15 +93,24 @@ var Server = {
// default path // default path
this.app.get("/:thing(*)", function (req, res, next) { this.app.get("/:thing(*)", function (req, res, next) {
while(req.params.thing.indexOf("%25") != -1) var opts = {
req.params.thing = decodeURIComponent(req.params.thing); root: __dirname + "/www",
req.params.thing = decodeURIComponent(req.params.thing); }
var root = __dirname + "/www/", res.sendfile(req.params.thing, opts, function (err) {
answer = path.resolve (__dirname + "/www/", req.params.thing); if(err) {
if (answer.indexOf (root) != 0) // Damn path traversal attacks
res.send (404); if(req.params.thing.indexOf("%2e") != -1) {
else res.send("Don't try that again, I'll ban you");
res.sendfile(__dirname + "/www/" + req.params.thing); Logger.syslog.log("WARNING: Attempted path "+
"traversal from /" + getIP(req));
Logger.syslog.log("URL: " + req.url);
}
// Something actually went wrong
else {
res.send(500);
}
}
});
}); });
// fallback // fallback