Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url could be vulnerable to path traversal.

2023-09-06 19:22:03 +02:00 · 2023-09-06 19:22:03 +02:00 · 08816fe4f3
commit 08816fe4f3
parent dc23125ce4
3 changed files with 13 additions and 5 deletions
--- a/404.html
+++ b/404.html
@ -1 +0,0 @@
-{path}
--- a/config.json
+++ b/config.json
@ -1,9 +1,9 @@
 {
  "users": [],
-  "port": 80,
+  "port": 5555,
  "pubport": 80,
  "page404": "404.html",
-  "timestamp": 1693865100955,
+  "timestamp": 1694020816055,
  "blacklist": [],
  "nonStandardCodes": [],
  "enableCompression": true,
@ -102,4 +102,4 @@
  "errorPages": [],
  "useWebRootServerSideScript": true,
  "exposeModsInErrorPages": true
-}
+}
--- a/svr.js
+++ b/svr.js
@ -4043,7 +4043,8 @@ if (!cluster.isPrimary) {

      // Sanitize URL
      var sanitizedHref = sanitizeURL(href);
-
+      var preparedReqUrl = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : "");
+      
      // Check if URL is "dirty"
      if (href != sanitizedHref && !isProxy) {
        var sanitizedURL = uobject;
@ -4076,6 +4077,14 @@ if (!cluster.isPrimary) {
          redirect(sanitizedURL, false);
          return;
        }
+      } else if(req.url != preparedReqUrl && !isProxy) {
+        serverconsole.resmessage("URL sanitized: " + req.url + " => " + preparedReqUrl);
+        if(rewriteDirtyURLs) {
+          req.url = preparedReqUrl;
+        } else {
+          redirect(preparedReqUrl, false);
+          return;
+        }
      }
      
      // Handle redirects to HTTPS