Fix not sanitizing file names rendered in html

omphalos · omphalos · commit 4155bfe068bf · 2018-02-14T17:29:21.000-06:00
diff --git a/crud-file-server.js b/crud-file-server.js
@@ -140,7 +140,9 @@ exports.handleRequest = function(vpath, path, req, res, readOnly, logHeadRequest
 															var name = results[f].name;
 															var normalized = url + '/' + name;
 															while(normalized[0] == '/') { normalized = normalized.slice(1, normalized.length); }
-															res.write('\r\n<p><a href="/' + normalized + '">' + name + '</a></p>');
+															if(normalized.indexOf('"') >= 0) throw new Error('unsupported file name')
+															name = name.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+															res.write('\r\n<p><a href="/' + normalized + '"><span>' + name + '</span></a></p>');
 														}
 														res.end('\r\n</body></html>');
 													}

Original file line number	Diff line number	Diff line change
`@@ -140,7 +140,9 @@ exports.handleRequest = function(vpath, path, req, res, readOnly, logHeadRequest`
`140`	`140`	`var name = results[f].name;`
`141`	`141`	`var normalized = url + '/' + name;`
`142`	`142`	`while(normalized[0] == '/') { normalized = normalized.slice(1, normalized.length); }`
`143`		`- res.write('\r\n<p><a href="/' + normalized + '">' + name + '</a></p>');`
	`143`	`+ if(normalized.indexOf('"') >= 0) throw new Error('unsupported file name')`
	`144`	`+ name = name.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>');`
	`145`	`+ res.write('\r\n<p><a href="/' + normalized + '"><span>' + name + '</span></a></p>');`
`144`	`146`	`}`
`145`	`147`	`res.end('\r\n</body></html>');`
`146`	`148`	`}`