mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-22 08:26:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 26

security: Fix authz check for pad names with encoded characters

Browse source 
Also:
  * Minor test cleanups (`function` instead of arrow functions, etc.).
  * Add a test for a case that was previously not covered.
This commit is contained in:
Richard Hansen 2020-09-24 13:59:07 -04:00 committed by John McLear
parent 3c9ae57bb3
commit 72ed1816ec
2 changed files with 69 additions and 30 deletions
Download patch file Download diff file Expand all files Collapse all files

7
src/node/hooks/express/webaccess.js
View file

@ -39,12 +39,13 @@ exports.checkAccess = (req, res, next) => {
if (!level) return fail();
const user = req.session.user;
if (user == null) return next(); // This will happen if authentication is not required.
const padID = (req.path.match(/^\/p\/(.*)$/) || [])[1];
if (padID == null) return next();
const encodedPadId = (req.path.match(/^\/p\/(.*)$/) || [])[1];
if (encodedPadId == null) return next();
const padId = decodeURIComponent(encodedPadId);
// The user was granted access to a pad. Remember the authorization level in the user's
// settings so that SecurityManager can approve or deny specific actions.
if (user.padAuthorizations == null) user.padAuthorizations = {};
user.padAuthorizations[padID] = level;
user.padAuthorizations[padId] = level;
return next();
};