File tree 1 file changed +12
-3
lines changed
1 file changed +12
-3
lines changed Original file line number Diff line number Diff line change @@ -5,9 +5,18 @@ const http = require('http');
55const PORT = 4848 ;
66
77const server = http . createServer ( ( req , res ) => {
8- const filePath = path . join ( __dirname , "client/" , req . url === '/' ? 'sqlite_browser_ui.html' : req . url ) ;
8+ let requestedPath = req . url === '/' ? 'sqlite_browser_ui.html' : req . url ;
99
10- const extname = path . extname ( filePath ) ;
10+ const filePath = path . join ( __dirname , "client" , requestedPath ) ;
11+
12+ const normalizedPath = path . normalize ( filePath ) ;
13+ if ( ! normalizedPath . startsWith ( path . join ( __dirname , "client" ) ) ) {
14+ res . writeHead ( 403 , { 'Content-Type' : 'text/html' } ) ;
15+ res . end ( '<h1>403 Forbidden</h1>' , 'utf8' ) ;
16+ return ;
17+ }
18+
19+ const extname = path . extname ( normalizedPath ) ;
1120 const contentType = {
1221 '.html' : 'text/html' ,
1322 '.css' : 'text/css' ,
@@ -17,7 +26,7 @@ const server = http.createServer((req, res) => {
1726 '.ico' : 'image/x-icon' ,
1827 } [ extname ] || 'application/octet-stream' ;
1928
20- fs . readFile ( filePath , ( err , content ) => {
29+ fs . readFile ( normalizedPath , ( err , content ) => {
2130 if ( err ) {
2231 if ( err . code === 'ENOENT' ) {
2332 res . writeHead ( 404 , { 'Content-Type' : 'text/html' } ) ;
You can’t perform that action at this time.
0 commit comments