forked from svrjs/svrjs
Fix access control bypass vulnerability for non-proxy SVR.JS mods
This commit is contained in:
parent
2c93e0fc24
commit
2d733b70bf
3 changed files with 15 additions and 5 deletions
|
@ -3,7 +3,7 @@
|
|||
"port": 80,
|
||||
"pubport": 80,
|
||||
"page404": "404.html",
|
||||
"timestamp": 1694024561052,
|
||||
"timestamp": 1694099048015,
|
||||
"blacklist": [],
|
||||
"nonStandardCodes": [],
|
||||
"enableCompression": true,
|
||||
|
|
14
svr.js
14
svr.js
|
@ -3274,10 +3274,20 @@ if (!cluster.isPrimary) {
|
|||
function modExecute(mods, ffinals) {
|
||||
// Prepare modFunction
|
||||
var modFunction = ffinals;
|
||||
for (var i = mods.length - 1; i >= 0; i--) {
|
||||
modFunction = mods[i].callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
|
||||
var useMods = mods;
|
||||
|
||||
if(isProxy) {
|
||||
// Get list of forward proxy mods
|
||||
useMods = [];
|
||||
mods.forEach(function (mod) {
|
||||
if (mod.proxyCallback !== undefined) useMods.push(mod);
|
||||
});
|
||||
}
|
||||
|
||||
useMods.reverse().forEach(function (modO) {
|
||||
modFunction = modO.callback(req, res, serverconsole, responseEnd, href, ext, uobject, search, "index.html", users, page404, head, foot, fd, modFunction, configJSON, callServerError, getCustomHeaders, origHref, redirect, parsePostData);
|
||||
});
|
||||
|
||||
// Execute modfunction
|
||||
modFunction();
|
||||
}
|
||||
|
|
|
@ -1 +1 @@
|
|||
56
|
||||
0
|
Reference in a new issue