overleaf/server-ce/hotfix/4.2.7/pr_19293.patch

18 lines
783 B
Diff
Raw Normal View History

--- a/services/clsi/app/js/StaticServerForbidSymlinks.js
+++ b/services/clsi/app/js/StaticServerForbidSymlinks.js
@@ -25,9 +25,13 @@ module.exports = ForbidSymlinks = function (staticFn, root, options) {
let file, projectId, result
const path = req.url
// check that the path is of the form /project_id_or_name/path/to/file.log
- if ((result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/))) {
+ if ((result = path.match(/^\/([a-zA-Z0-9_-]+)\/(.*)$/s))) {
projectId = result[1]
file = result[2]
+ if (path !== `/${projectId}/${file}`) {
+ logger.warn({ path }, 'unrecognized file request')
+ return res.sendStatus(404)
+ }
} else {
logger.warn({ path }, 'unrecognized file request')
return res.sendStatus(404)