From 65f71d8e3bbeccc7fa3d0bfb86a1e6c3b3aac27d Mon Sep 17 00:00:00 2001 From: NGPixel Date: Fri, 5 Jun 2020 14:52:36 -0400 Subject: [PATCH] fix: strip starting slash from path during page create --- server/models/pages.js | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/server/models/pages.js b/server/models/pages.js index db9b6eff..b4a5fd1d 100644 --- a/server/models/pages.js +++ b/server/models/pages.js @@ -214,7 +214,7 @@ module.exports = class Page extends Model { */ static async createPage(opts) { // -> Validate path - if (opts.path.indexOf('.') >= 0 || opts.path.indexOf(' ') >= 0 || opts.path.indexOf('\\') >= 0) { + if (opts.path.indexOf('.') >= 0 || opts.path.indexOf(' ') >= 0 || opts.path.indexOf('\\') >= 0 || opts.path.indexOf('//') >= 0) { throw new WIKI.Error.PageIllegalPath() } @@ -223,6 +223,11 @@ module.exports = class Page extends Model { opts.path = opts.path.slice(0, -1) } + // -> Remove starting slash + if (opts.path.startsWith('/')) { + opts.path = opts.path.slice(1) + } + // -> Check for page access if (!WIKI.auth.checkAccess(opts.user, ['write:pages'], { locale: opts.locale, @@ -404,7 +409,7 @@ module.exports = class Page extends Model { } // -> Validate path - if (opts.destinationPath.indexOf('.') >= 0 || opts.destinationPath.indexOf(' ') >= 0 || opts.destinationPath.indexOf('\\') >= 0) { + if (opts.destinationPath.indexOf('.') >= 0 || opts.destinationPath.indexOf(' ') >= 0 || opts.destinationPath.indexOf('\\') >= 0 || opts.destinationPath.indexOf('//') >= 0) { throw new WIKI.Error.PageIllegalPath() } @@ -413,6 +418,11 @@ module.exports = class Page extends Model { opts.destinationPath = opts.destinationPath.slice(0, -1) } + // -> Remove starting slash + if (opts.destinationPath.startsWith('/')) { + opts.destinationPath = opts.destinationPath.slice(1) + } + // -> Check for source page access if (!WIKI.auth.checkAccess(opts.user, ['manage:pages'], { locale: page.localeCode,