unlinkFile: Fix so it decodes the uri path. Also add some safety checks
Some checks failed
continuous-integration/appveyor/branch AppVeyor build failed
Some checks failed
continuous-integration/appveyor/branch AppVeyor build failed
This commit is contained in:
parent
f1be7e0d79
commit
b931dfb784
2 changed files with 10 additions and 3 deletions
|
|
@ -199,9 +199,16 @@ export default class MediaRoutes {
|
|||
|
||||
this.filesCacheRemove(site, ctx.params.filename)
|
||||
|
||||
await this.fs.unlink(`${config.get('uploadFolder')}/${site}/${ctx.params.filename}`)
|
||||
let root = `${config.get('uploadFolder')}/${site}`
|
||||
var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
|
||||
|
||||
if (unlinkPath.indexOf(root) !== 0) {
|
||||
throw new HttpError(403, `Error removing ${unlinkPath}: Traversing folder is not allowed`)
|
||||
}
|
||||
|
||||
await this.fs.unlink(unlinkPath)
|
||||
.catch(function(err) {
|
||||
throw new HttpError(422, `Error removing ${site}/${ctx.params.filename}: ${err.message}`)
|
||||
throw new HttpError(422, `Error removing ${unlinkPath}: ${err.message}`)
|
||||
})
|
||||
|
||||
ctx.status = 204
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"name": "storage-upload",
|
||||
"version": "2.2.5",
|
||||
"version": "2.2.6",
|
||||
"description": "Micro service for uploading and image resizing files to a storage server.",
|
||||
"main": "index.js",
|
||||
"scripts": {
|
||||
|
|
|
|||
Loading…
Reference in a new issue