1
0
Fork 0
forked from svrjs/svrjs

Fix access control bypass vulnerability for non-proxy SVR.JS mods

This commit is contained in:
Dorian Niemiec 2023-09-07 18:00:58 +02:00
parent 2c93e0fc24
commit 2d733b70bf
3 changed files with 15 additions and 5 deletions

View file

@ -3,7 +3,7 @@
"port": 80,
"pubport": 80,
"page404": "404.html",
"timestamp": 1694024561052,
"timestamp": 1694099048015,
"blacklist": [],
"nonStandardCodes": [],
"enableCompression": true,

14
svr.js
View file

@ -3274,10 +3274,20 @@ if (!cluster.isPrimary) {
function modExecute(mods, ffinals) {
// Prepare modFunction
var modFunction = ffinals;
for (var i = mods.length - 1; i >= 0; i--) {
modFunction = mods[i].callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
var useMods = mods;
if(isProxy) {
// Get list of forward proxy mods
useMods = [];
mods.forEach(function (mod) {
if (mod.proxyCallback !== undefined) useMods.push(mod);
});
}
useMods.reverse().forEach(function (modO) {
modFunction = modO.callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
});
// Execute modfunction
modFunction();
}

View file

@ -1 +1 @@
56
0