zoriya/flood
1
0
Fork 0
mirror of https://github.com/zoriya/flood.git synced 2026-06-04 11:35:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

server: torrents: ensure path is allowed when mediainfo is requested

Browse Source
This commit is contained in:
Jesse Chan
2020-12-06 21:52:44 +08:00
parent f0b9ca4e2c
commit ebb4927b74
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/routes/api/torrents.ts
+3
View File
@@ -668,6 +668,9 @@ router.get('/:hash/mediainfo', async (req, res) => {
} }
const contentPath = fs.existsSync(path.join(directory, name)) ? path.join(directory, name) : directory; const contentPath = fs.existsSync(path.join(directory, name)) ? path.join(directory, name) : directory;
if (!isAllowedPath(contentPath)) {
callback(null, accessDeniedError());
}
try { try {
const mediainfoProcess = childProcess.execFile( const mediainfoProcess = childProcess.execFile(