DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Fix access control bypass vulnerability for non-proxy SVR.JS mods

Browse source
This commit is contained in:
Dorian Niemiec 2023-09-07 18:00:58 +02:00
parent 2c93e0fc24
commit 2d733b70bf
3 changed files with 15 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
config.json
View file

@ -3,7 +3,7 @@
"port": 80, "port": 80,
"pubport": 80, "pubport": 80,
"page404": "404.html", "page404": "404.html",
"timestamp": 1694024561052, "timestamp": 1694099048015,
"blacklist": [], "blacklist": [],
"nonStandardCodes": [], "nonStandardCodes": [],
"enableCompression": true, "enableCompression": true,

14
svr.js
View file

@ -3274,10 +3274,20 @@ if (!cluster.isPrimary) {
function modExecute(mods, ffinals) { function modExecute(mods, ffinals) {
// Prepare modFunction // Prepare modFunction
var modFunction = ffinals; var modFunction = ffinals;
for (var i = mods.length - 1; i >= 0; i--) { var useMods = mods;
modFunction = mods[i].callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
if(isProxy) {
// Get list of forward proxy mods
useMods = [];
mods.forEach(function (mod) {
if (mod.proxyCallback !== undefined) useMods.push(mod);
});
} }
useMods.reverse().forEach(function (modO) {
modFunction = modO.callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
});
// Execute modfunction // Execute modfunction
modFunction(); modFunction();
} }

2
views.txt
View file

@ -1 +1 @@
56 0