mirrors/etherpad-lite
1
0
Fork 0
mirror of https://github.com/ether/etherpad-lite.git synced 2025-04-20 15:36:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 27

padurlsanitize: Don't crash if sanitizePadId() throws

Browse source 
Let Express send a 500 status code to the user instead.

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
This commit is contained in:
webzwo0i 2021-07-05 06:12:02 +02:00 committed by Richard Hansen
parent 4733c7d8d3
commit 8b73f2ee70
2 changed files with 20 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
CHANGELOG.md
View file

@ -15,6 +15,7 @@
from the database when the group is deleted. from the database when the group is deleted.
* Fixed race conditions in the `setText`, `appendText`, and `restoreRevision` * Fixed race conditions in the `setText`, `appendText`, and `restoreRevision`
functions (HTTP API). functions (HTTP API).
* Fixed a crash if the database is busy enough to cause a query timeout.
#### For plugin authors #### For plugin authors

35
src/node/hooks/express/padurlsanitize.js
View file

@ -4,24 +4,27 @@ const padManager = require('../../db/PadManager');
exports.expressCreateServer = (hookName, args, cb) => { exports.expressCreateServer = (hookName, args, cb) => {
// redirects browser to the pad's sanitized url if needed. otherwise, renders the html // redirects browser to the pad's sanitized url if needed. otherwise, renders the html
args.app.param('pad', async (req, res, next, padId) => { args.app.param('pad', (req, res, next, padId) => {
// ensure the padname is valid and the url doesn't end with a / (async () => {
if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) { // ensure the padname is valid and the url doesn't end with a /
res.status(404).send('Such a padname is forbidden'); if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) {
return; res.status(404).send('Such a padname is forbidden');
} return;
}
const sanitizedPadId = await padManager.sanitizePadId(padId); const sanitizedPadId = await padManager.sanitizePadId(padId);
if (sanitizedPadId === padId) { if (sanitizedPadId === padId) {
// the pad id was fine, so just render it // the pad id was fine, so just render it
next(); next();
} else { } else {
// the pad id was sanitized, so we redirect to the sanitized version // the pad id was sanitized, so we redirect to the sanitized version
const realURL = encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search; const realURL =
res.header('Location', realURL); encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search;
res.status(302).send(`You should be redirected to <a href="${realURL}">${realURL}</a>`); res.header('Location', realURL);
} res.status(302).send(`You should be redirected to <a href="${realURL}">${realURL}</a>`);
}
})().catch((err) => next(err || new Error(err)));
}); });
return cb(); return cb();
}; };