From 230aa79e89a3461c060188bd35cc737520f5d86b Mon Sep 17 00:00:00 2001
From: Tom Smeding <tom.smeding@gmail.com>
Date: Fri, 29 Jan 2021 17:42:28 +0100
Subject: Don't send hidden files in /f/

---
 webserver.js | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/webserver.js b/webserver.js
index e5a62c8..5496f11 100755
--- a/webserver.js
+++ b/webserver.js
@@ -84,6 +84,10 @@ for (let i = 0; i < module_list.length; i++) {
 }
 
 
+function anyComponentHidden(fname) {
+	return fname[0] == "." || fname.indexOf("/.") != -1;
+}
+
 // if 'mime' is not null/undefined, it should be the content-type of the file
 // options:
 //   { mime: "content-type value", listdirs: true/false, cors: true/false }
@@ -92,7 +96,7 @@ function requestFile(req, res, path, origpath, options) {
 	if (options == null) options = {};
 	fname = cmn.webfilesdir + path;
 	console.log("Requesting file " + fname);
-	if (!fs.existsSync(fname)) {
+	if (anyComponentHidden(fname) || !fs.existsSync(fname)) {
 		res.status(404).send("That file does not exist.");
 		return;
 	}
-- 
cgit v1.2.3-70-g09d2