diff --git a/package.json b/package.json index bda636e6..e7dde87a 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "author": "Calvin Montgomery", "name": "CyTube", "description": "Online media synchronizer and chat", - "version": "2.1.1", + "version": "2.1.2", "repository": { "url": "http://github.com/calzoneman/sync" }, diff --git a/server.js b/server.js index 20ddd5ee..d5b9d0ed 100644 --- a/server.js +++ b/server.js @@ -5,7 +5,7 @@ var Logger = require("./logger"); var Channel = require("./channel"); var User = require("./user"); -const VERSION = "2.1.1"; +const VERSION = "2.1.2"; function getIP(req) { var raw = req.connection.remoteAddress; @@ -93,15 +93,24 @@ var Server = { // default path this.app.get("/:thing(*)", function (req, res, next) { - while(req.params.thing.indexOf("%25") != -1) - req.params.thing = decodeURIComponent(req.params.thing); - req.params.thing = decodeURIComponent(req.params.thing); - var root = __dirname + "/www/", - answer = path.resolve (__dirname + "/www/", req.params.thing); - if (answer.indexOf (root) != 0) - res.send (404); - else - res.sendfile(__dirname + "/www/" + req.params.thing); + var opts = { + root: __dirname + "/www", + } + res.sendfile(req.params.thing, opts, function (err) { + if(err) { + // Damn path traversal attacks + if(req.params.thing.indexOf("%2e") != -1) { + res.send("Don't try that again, I'll ban you"); + Logger.syslog.log("WARNING: Attempted path "+ + "traversal from /" + getIP(req)); + Logger.syslog.log("URL: " + req.url); + } + // Something actually went wrong + else { + res.send(500); + } + } + }); }); // fallback