diff options
| author | tomsmeding <hallo@tomsmeding.nl> | 2015-04-22 14:13:00 +0200 |
|---|---|---|
| committer | tomsmeding <hallo@tomsmeding.nl> | 2015-04-22 14:13:00 +0200 |
| commit | 705363b98b841f0f2e0f0bf5f1b270bdfcea6915 (patch) | |
| tree | f0a9e10e628e5aa00c87eed5539b016632fd8978 | |
| parent | b092d7729ee6fec2c7ad1f6a849bca750400d746 (diff) | |
Improve security: prohibit downloading of anything but themes
| -rwxr-xr-x | chatserver.js | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/chatserver.js b/chatserver.js index d665e2c..51ab363 100755 --- a/chatserver.js +++ b/chatserver.js @@ -202,9 +202,10 @@ http.createServer(function(req,res){ if(req.url=="/"){ res.writeHead(200,{"Content-Type":"text/html"}); res.end(pagehtml); - } else if(!/\/\./.test(req.url)){ - var url=req.url.slice(1); - if(url.indexOf("?")!=-1)url=url.slice(0,url.indexOf("?")); + } else { + var url=req.url.slice(1); //strip off the initial '/' + if(url.indexOf("?")!=-1)url=url.slice(0,url.indexOf("?")); //strip off parameters + if(!/^theme-[a-z0-9]+\.css$/i.test(url))res.end("not permitted"); try{res.end(fs.readFileSync(url).toString());} catch(e){res.end("error");} } |