unlinkFile: Fix so it decodes the uri path. Also add some safety checks
Some checks failed
continuous-integration/appveyor/branch AppVeyor build failed
Some checks failed
continuous-integration/appveyor/branch AppVeyor build failed
This commit is contained in:
parent
f1be7e0d79
commit
b931dfb784
2 changed files with 10 additions and 3 deletions
|
|
@ -199,9 +199,16 @@ export default class MediaRoutes {
|
||||||
|
|
||||||
this.filesCacheRemove(site, ctx.params.filename)
|
this.filesCacheRemove(site, ctx.params.filename)
|
||||||
|
|
||||||
await this.fs.unlink(`${config.get('uploadFolder')}/${site}/${ctx.params.filename}`)
|
let root = `${config.get('uploadFolder')}/${site}`
|
||||||
|
var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
|
||||||
|
|
||||||
|
if (unlinkPath.indexOf(root) !== 0) {
|
||||||
|
throw new HttpError(403, `Error removing ${unlinkPath}: Traversing folder is not allowed`)
|
||||||
|
}
|
||||||
|
|
||||||
|
await this.fs.unlink(unlinkPath)
|
||||||
.catch(function(err) {
|
.catch(function(err) {
|
||||||
throw new HttpError(422, `Error removing ${site}/${ctx.params.filename}: ${err.message}`)
|
throw new HttpError(422, `Error removing ${unlinkPath}: ${err.message}`)
|
||||||
})
|
})
|
||||||
|
|
||||||
ctx.status = 204
|
ctx.status = 204
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "storage-upload",
|
"name": "storage-upload",
|
||||||
"version": "2.2.5",
|
"version": "2.2.6",
|
||||||
"description": "Micro service for uploading and image resizing files to a storage server.",
|
"description": "Micro service for uploading and image resizing files to a storage server.",
|
||||||
"main": "index.js",
|
"main": "index.js",
|
||||||
"scripts": {
|
"scripts": {
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue