mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 23:46:14 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

revert to old path handling, but strip out "..". fixes #2614

Browse source
This commit is contained in:
Tom Hunkapiller 2015-04-15 14:30:53 -05:00
parent 1fbf0db650
commit 6ff7d4e9a6
1 changed files with 4 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/node/utils/Minify.js
View file

@ -143,8 +143,11 @@ function minify(req, res, next)
// No relative paths, especially if they may go up the file hierarchy. // No relative paths, especially if they may go up the file hierarchy.
filename = path.normalize(path.join(ROOT_DIR, filename)); filename = path.normalize(path.join(ROOT_DIR, filename));
filename = filename.replace(/\.\./g, '')
if (filename.indexOf(ROOT_DIR) == 0) { if (filename.indexOf(ROOT_DIR) == 0) {
filename = filename.slice(ROOT_DIR.length); filename = filename.slice(ROOT_DIR.length);
filename = filename.replace(/\\/g, '/')
} else { } else {
res.writeHead(404, {}); res.writeHead(404, {});
res.end(); res.end();
@ -165,6 +168,7 @@ function minify(req, res, next)
var plugin = plugins.plugins[library]; var plugin = plugins.plugins[library];
var pluginPath = plugin.package.realPath; var pluginPath = plugin.package.realPath;
filename = path.relative(ROOT_DIR, pluginPath + libraryPath); filename = path.relative(ROOT_DIR, pluginPath + libraryPath);
filename = filename.replace(/\\/g, '/'); // windows path fix
} else if (LIBRARY_WHITELIST.indexOf(library) != -1) { } else if (LIBRARY_WHITELIST.indexOf(library) != -1) {
// Go straight into node_modules // Go straight into node_modules
// Avoid `require.resolve()`, since 'mustache' and 'mustache/index.js' // Avoid `require.resolve()`, since 'mustache' and 'mustache/index.js'