From 705363b98b841f0f2e0f0bf5f1b270bdfcea6915 Mon Sep 17 00:00:00 2001 From: tomsmeding Date: Wed, 22 Apr 2015 14:13:00 +0200 Subject: Improve security: prohibit downloading of anything but themes --- chatserver.js | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/chatserver.js b/chatserver.js index d665e2c..51ab363 100755 --- a/chatserver.js +++ b/chatserver.js @@ -202,9 +202,10 @@ http.createServer(function(req,res){ if(req.url=="/"){ res.writeHead(200,{"Content-Type":"text/html"}); res.end(pagehtml); - } else if(!/\/\./.test(req.url)){ - var url=req.url.slice(1); - if(url.indexOf("?")!=-1)url=url.slice(0,url.indexOf("?")); + } else { + var url=req.url.slice(1); //strip off the initial '/' + if(url.indexOf("?")!=-1)url=url.slice(0,url.indexOf("?")); //strip off parameters + if(!/^theme-[a-z0-9]+\.css$/i.test(url))res.end("not permitted"); try{res.end(fs.readFileSync(url).toString());} catch(e){res.end("error");} } -- cgit v1.2.3-70-g09d2