LAB-linuxserver/core
1
0
Fork 0
mirror of https://github.com/linuxserver/core.git synced 2026-02-20 05:07:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

decodeURIComponent can throw

Browse Source 
fixes https://github.com/c9/newclient/issues/13386
This commit is contained in:
Fabian Jakobs 2016-04-12 10:26:51 +00:00
parent d404d1ded9
commit ab3913a429
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
plugins/c9.preview/lib/middleware/sanitize-path-param.js
View File

@ -1,9 +1,16 @@
"use strict";
var Path = require("path");
var error = require("http-error");
module.exports = function sanitzePreviewPath(req, res, next) {
var normalized = Path.normalize(decodeURIComponent(req.params.path));
var normalized;
try {
normalized = Path.normalize(decodeURIComponent(req.params.path));
} catch(e) {
return next(new error.BadRequest("URI malformed"));
}
// N.B. Path.normalize does not strip away when the path starts with "../"
if (normalized)