aboutsummaryrefslogtreecommitdiff
path: root/lib/serve.js
diff options
context:
space:
mode:
Diffstat (limited to 'lib/serve.js')
-rw-r--r--lib/serve.js22
1 files changed, 21 insertions, 1 deletions
diff --git a/lib/serve.js b/lib/serve.js
index fdf24f7..414cef5 100644
--- a/lib/serve.js
+++ b/lib/serve.js
@@ -122,6 +122,19 @@ Serve.prototype.go = function () {
Boolean(conf.replyMentionFeeds)
if (this.req.method === 'POST' || this.req.method === 'PUT') {
+ var referer = this.req.headers.referer
+ var refererPath = this.app.getRefererPath(referer)
+ if (!refererPath) {
+ if (!referer) console.error('Missing referer')
+ else console.error('Referer not allowed: "' + referer + '"')
+ this.res.writeHead(403)
+ return this.res.end('Forbidden')
+ }
+ if (this.isUnsafePath(refererPath)) {
+ console.error('Unsafe referer path not allowed: "' + refererPath + '"')
+ this.res.writeHead(403)
+ return this.res.end('Forbidden')
+ }
if (/^multipart\/form-data/.test(this.req.headers['content-type'])) {
var data = {}
var erred
@@ -213,6 +226,14 @@ Serve.prototype.go = function () {
}
}
+Serve.prototype.isUnsafePath = function (path) {
+ return typeof path !== 'string'
+ || /^&|^%26/.test(path)
+ || path.indexOf('../') !== -1
+ || path.startsWith('/web/')
+ || path.startsWith('/npm-readme/')
+}
+
Serve.prototype.saveDraft = function (content, cb) {
var self = this
var data = self.data
@@ -2426,7 +2447,6 @@ Serve.prototype.wrapPage = function (title, searchQ) {
var done = multicb({pluck: 1, spread: true})
done()(null, h('html', h('head',
h('meta', {charset: 'utf-8'}),
- h('meta', {name: 'referrer', content: 'no-referrer'}),
h('title', title),
h('meta', {name: 'viewport', content: 'width=device-width,initial-scale=1'}),
h('link', {rel: 'icon', href: render.toUrl('/static/hermie.ico'), type: 'image/x-icon'}),