Skip to content

PUBLIC / surfer-okd

Go to a project
Commit aa88a753 by Johannes Zellner
Options

protect _admin/

1 parent 04bc2989
Inline Side-by-side
Showing with 15 additions and 8 deletions
app/index.html
...@@ -119,6 +119,9 @@ ...@@ -119,6 +119,9 @@
</li> </li>
</ol> </ol>
</div> </div>
<div class="col-lg-12" style="text-align: right;">
<button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
</div>
<div class="col-lg-12"> <div class="col-lg-12">
<table class="table table-hover table-condensed"> <table class="table table-hover table-condensed">
<thead> <thead>
...@@ -150,9 +153,6 @@ ...@@ -150,9 +153,6 @@
</tbody> </tbody>
</table> </table>
</div> </div>
<div class="col-lg-12" style="text-align: right;">
<button class="btn btn-default btn-sm" v-on:click="createDirectoryAsk()">Create Directory</button>
</div>
</div> </div>
</div> </div>
......
cli/actions.js
...@@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) { ...@@ -119,8 +119,9 @@ function put(filePath, otherFilePaths, options) {
console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan); console.log('Uploading file %s -> %s', relativeFilePath.cyan, destinationPath.cyan);
superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) { superagent.put(config.server() + API + destinationPath).query(gQuery).attach('file', file).end(function (error, result) {
if (result && result.statusCode === 403) return callback(new Error('Upload destination ' + destinationPath + ' not allowed'));
if (result && result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
if (error) return callback(error); if (error) return callback(error);
if (result.statusCode !== 201) return callback(new Error('Error uploading file: ' + result.statusCode));
console.log('Uploaded to ' + config.server() + destinationPath); console.log('Uploaded to ' + config.server() + destinationPath);
...@@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) { ...@@ -128,7 +129,7 @@ function put(filePath, otherFilePaths, options) {
}); });
}, function (error) { }, function (error) {
if (error) { if (error) {
console.log('Failed to put file.', error); console.log('Failed to put file.', error.message.red);
process.exit(1); process.exit(1);
} }
...@@ -143,9 +144,9 @@ function get(filePath) { ...@@ -143,9 +144,9 @@ function get(filePath) {
filePath = filePath || '/'; filePath = filePath || '/';
request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) { request.get(config.server() + API + filePath, { qs: gQuery }, function (error, result, body) {
if (result && result.statusCode === 401) return console.log('Login failed');
if (result && result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
if (error) return console.error(error); if (error) return console.error(error);
if (result.statusCode === 401) return console.log('Login failed');
if (result.statusCode === 404) return console.log('No such file or directory %s', filePath.yellow);
// 222 indicates directory listing // 222 indicates directory listing
if (result.statusCode === 222) { if (result.statusCode === 222) {
......
src/files.js
...@@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) { ...@@ -61,6 +61,10 @@ function createDirectory(targetPath, callback) {
}); });
} }
function isProtected(targetPath) {
return targetPath.indexOf(getAbsolutePath('_admin')) === 0;
}
function getAbsolutePath(filePath) { function getAbsolutePath(filePath) {
var absoluteFilePath = path.resolve(path.join(gBasePath, filePath)); var absoluteFilePath = path.resolve(path.join(gBasePath, filePath));
...@@ -114,7 +118,7 @@ function put(req, res, next) { ...@@ -114,7 +118,7 @@ function put(req, res, next) {
if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory')); if ((req.files && req.files.file) && req.query.directory) return next(new HttpError(400, 'either file or directory'));
var absoluteFilePath = getAbsolutePath(filePath); var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(403, 'Path not allowed')); if (!absoluteFilePath || isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
fs.stat(absoluteFilePath, function (error, result) { fs.stat(absoluteFilePath, function (error, result) {
if (error && error.code !== 'ENOENT') return next(new HttpError(500, error)); if (error && error.code !== 'ENOENT') return next(new HttpError(500, error));
...@@ -148,6 +152,8 @@ function del(req, res, next) { ...@@ -148,6 +152,8 @@ function del(req, res, next) {
var absoluteFilePath = getAbsolutePath(filePath); var absoluteFilePath = getAbsolutePath(filePath);
if (!absoluteFilePath) return next(new HttpError(404, 'Not found')); if (!absoluteFilePath) return next(new HttpError(404, 'Not found'));
if (isProtected(absoluteFilePath)) return next(new HttpError(403, 'Path not allowed'));
// absoltueFilePath has to have the base path prepended // absoltueFilePath has to have the base path prepended
if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found')); if (absoluteFilePath.length <= gBasePath.length) return next(new HttpError(404, 'Not found'));
......
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!