From 4730c3b46ee0dd9b99b1873c167055738ef7a45c Mon Sep 17 00:00:00 2001 From: Peter 'Pita' Martischka Date: Sat, 13 Aug 2011 20:20:30 +0100 Subject: [PATCH] added a error message for invalid padIDs --- node/server.js | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/node/server.js b/node/server.js index 0d8cc303..a429cd31 100644 --- a/node/server.js +++ b/node/server.js @@ -162,7 +162,7 @@ async.waterfall([ //ensure the padname is valid and the url doesn't end with a / if(!isValidPadname(req.params.pad) || /\/$/.test(req.url)) { - next(); + res.send('Such a padname is forbidden', 404); return; } @@ -177,7 +177,7 @@ async.waterfall([ //ensure the padname is valid and the url doesn't end with a / if(!isValidPadname(req.params.pad) || /\/$/.test(req.url)) { - next(); + res.send('Such a padname is forbidden', 404); return; } @@ -189,6 +189,13 @@ async.waterfall([ //serve timeslider.html under /p/$padname/timeslider app.get('/p/:pad/export/:type', function(req, res, next) { + //ensure the padname is valid and the url doesn't end with a / + if(!isValidPadname(req.params.pad) || /\/$/.test(req.url)) + { + res.send('Such a padname is forbidden', 404); + return; + } + var types = ["pdf", "doc", "txt", "html", "odt"]; //send a 404 if we don't support this filetype if(types.indexOf(req.params.type) == -1) @@ -211,6 +218,13 @@ async.waterfall([ //handle import requests app.post('/p/:pad/import', function(req, res, next) { + //ensure the padname is valid and the url doesn't end with a / + if(!isValidPadname(req.params.pad) || /\/$/.test(req.url)) + { + res.send('Such a padname is forbidden', 404); + return; + } + //if abiword is disabled, skip handling this request if(settings.abiword == null) {