From 08816fe4f3f4590f4dc606c879aba152801b40a8 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Wed, 6 Sep 2023 19:22:03 +0200 Subject: [PATCH] Mitigated security vulnerability: SVR.JS mods and server-side JavaScript using req.url could be vulnerable to path traversal. --- 404.html | 1 - config.json | 6 +++--- svr.js | 11 ++++++++++- 3 files changed, 13 insertions(+), 5 deletions(-) delete mode 100644 404.html diff --git a/404.html b/404.html deleted file mode 100644 index 3617578..0000000 --- a/404.html +++ /dev/null @@ -1 +0,0 @@ -{path} diff --git a/config.json b/config.json index fc21527..0ff4979 100644 --- a/config.json +++ b/config.json @@ -1,9 +1,9 @@ { "users": [], - "port": 80, + "port": 5555, "pubport": 80, "page404": "404.html", - "timestamp": 1693865100955, + "timestamp": 1694020816055, "blacklist": [], "nonStandardCodes": [], "enableCompression": true, @@ -102,4 +102,4 @@ "errorPages": [], "useWebRootServerSideScript": true, "exposeModsInErrorPages": true -} +} \ No newline at end of file diff --git a/svr.js b/svr.js index a48c90b..90b95a6 100644 --- a/svr.js +++ b/svr.js @@ -4043,7 +4043,8 @@ if (!cluster.isPrimary) { // Sanitize URL var sanitizedHref = sanitizeURL(href); - + var preparedReqUrl = uobject.pathname + (uobject.search ? uobject.search : "") + (uobject.hash ? uobject.hash : ""); + // Check if URL is "dirty" if (href != sanitizedHref && !isProxy) { var sanitizedURL = uobject; @@ -4076,6 +4077,14 @@ if (!cluster.isPrimary) { redirect(sanitizedURL, false); return; } + } else if(req.url != preparedReqUrl && !isProxy) { + serverconsole.resmessage("URL sanitized: " + req.url + " => " + preparedReqUrl); + if(rewriteDirtyURLs) { + req.url = preparedReqUrl; + } else { + redirect(preparedReqUrl, false); + return; + } } // Handle redirects to HTTPS