diff options
Diffstat (limited to 'lib/serve.js')
-rw-r--r-- | lib/serve.js | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/lib/serve.js b/lib/serve.js index fdf24f7..414cef5 100644 --- a/lib/serve.js +++ b/lib/serve.js @@ -122,6 +122,19 @@ Serve.prototype.go = function () { Boolean(conf.replyMentionFeeds) if (this.req.method === 'POST' || this.req.method === 'PUT') { + var referer = this.req.headers.referer + var refererPath = this.app.getRefererPath(referer) + if (!refererPath) { + if (!referer) console.error('Missing referer') + else console.error('Referer not allowed: "' + referer + '"') + this.res.writeHead(403) + return this.res.end('Forbidden') + } + if (this.isUnsafePath(refererPath)) { + console.error('Unsafe referer path not allowed: "' + refererPath + '"') + this.res.writeHead(403) + return this.res.end('Forbidden') + } if (/^multipart\/form-data/.test(this.req.headers['content-type'])) { var data = {} var erred @@ -213,6 +226,14 @@ Serve.prototype.go = function () { } } +Serve.prototype.isUnsafePath = function (path) { + return typeof path !== 'string' + || /^&|^%26/.test(path) + || path.indexOf('../') !== -1 + || path.startsWith('/web/') + || path.startsWith('/npm-readme/') +} + Serve.prototype.saveDraft = function (content, cb) { var self = this var data = self.data @@ -2426,7 +2447,6 @@ Serve.prototype.wrapPage = function (title, searchQ) { var done = multicb({pluck: 1, spread: true}) done()(null, h('html', h('head', h('meta', {charset: 'utf-8'}), - h('meta', {name: 'referrer', content: 'no-referrer'}), h('title', title), h('meta', {name: 'viewport', content: 'width=device-width,initial-scale=1'}), h('link', {rel: 'icon', href: render.toUrl('/static/hermie.ico'), type: 'image/x-icon'}), |