mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-28 21:14:06 -05:00
Merge pull request from GHSA-p528-555r-pf87
Fix Relative Path Traversal Attack on note creation
This commit is contained in:
commit
59f669e593
1 changed files with 3 additions and 3 deletions
|
@ -94,7 +94,7 @@ module.exports = function (sequelize, DataTypes) {
|
||||||
let body = null
|
let body = null
|
||||||
let filePath = null
|
let filePath = null
|
||||||
if (note.alias) {
|
if (note.alias) {
|
||||||
filePath = path.join(config.docsPath, note.alias + '.md')
|
filePath = path.join(config.docsPath, path.basename(note.alias) + '.md')
|
||||||
}
|
}
|
||||||
if (!filePath || !Note.checkFileExist(filePath)) {
|
if (!filePath || !Note.checkFileExist(filePath)) {
|
||||||
filePath = config.defaultNotePath
|
filePath = config.defaultNotePath
|
||||||
|
@ -196,7 +196,7 @@ module.exports = function (sequelize, DataTypes) {
|
||||||
}
|
}
|
||||||
}).then(function (note) {
|
}).then(function (note) {
|
||||||
if (note) {
|
if (note) {
|
||||||
const filePath = path.join(config.docsPath, noteId + '.md')
|
const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
|
||||||
if (Note.checkFileExist(filePath)) {
|
if (Note.checkFileExist(filePath)) {
|
||||||
// if doc in filesystem have newer modified time than last change time
|
// if doc in filesystem have newer modified time than last change time
|
||||||
// then will update the doc in db
|
// then will update the doc in db
|
||||||
|
@ -238,7 +238,7 @@ module.exports = function (sequelize, DataTypes) {
|
||||||
return callback(null, note.id)
|
return callback(null, note.id)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
const filePath = path.join(config.docsPath, noteId + '.md')
|
const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
|
||||||
if (Note.checkFileExist(filePath)) {
|
if (Note.checkFileExist(filePath)) {
|
||||||
Note.create({
|
Note.create({
|
||||||
alias: noteId,
|
alias: noteId,
|
||||||
|
|
Loading…
Reference in a new issue