From 53560a7bcd5e1079908ec904af404a80032181b4 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Sat, 9 Sep 2023 00:36:24 +0200 Subject: [PATCH] Mitigiate source-code leakage through hidden files in temp folder. Also change default enableRemoteLogBrowsing to false. --- config.json | 6 +++--- index.html | 2 +- svr.js | 13 ++++++++----- 3 files changed, 12 insertions(+), 9 deletions(-) diff --git a/config.json b/config.json index c370392..674dacd 100644 --- a/config.json +++ b/config.json @@ -3,7 +3,7 @@ "port": 80, "pubport": 80, "page404": "404.html", - "timestamp": 1694196507492, + "timestamp": 1694212357224, "blacklist": [], "nonStandardCodes": [], "enableCompression": true, @@ -14,7 +14,7 @@ "enableDirectoryListingWithDefaultHead": false, "serverAdministratorEmail": "[no contact information]", "stackHidden": false, - "enableRemoteLogBrowsing": true, + "enableRemoteLogBrowsing": false, "exposeServerVersion": true, "disableServerSideScriptExpose": true, "rewriteMap": [ @@ -102,4 +102,4 @@ "errorPages": [], "useWebRootServerSideScript": true, "exposeModsInErrorPages": true -} \ No newline at end of file +} diff --git a/index.html b/index.html index 9b1060d..246489c 100644 --- a/index.html +++ b/index.html @@ -40,7 +40,7 @@   "enableDirectoryListingWithDefaultHead": false,
  "serverAdministratorEmail": "[no contact information]",
  "stackHidden": false,
-   "enableRemoteLogBrowsing": true,
+   "enableRemoteLogBrowsing": false,
  "exposeServerVersion": true,
  "disableServerSideScriptExpose": true,
  "rewriteMap": [
diff --git a/svr.js b/svr.js index 767159e..1433be5 100644 --- a/svr.js +++ b/svr.js @@ -1793,11 +1793,10 @@ if (useWebRootServerSideScript) { } else { forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js")); } -forbiddenPaths.serverSideScripts.push(getInitializePath("./temp/serverSideScript.js")); forbiddenPaths.serverSideScriptDirectories = []; -forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./temp/modloader")); forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules")); forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods")); +forbiddenPaths.temp = getInitializePath("./temp"); forbiddenPaths.log = getInitializePath("./log"); // Create server @@ -4283,7 +4282,11 @@ if (!cluster.isPrimary) { callServerError(403); serverconsole.errmessage("Access to configuration file/certificates is denied."); return; - } else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !(configJSON.enableRemoteLogBrowsing || configJSON.enableRemoteLogBrowsing == undefined)) { + } else if (isForbiddenPath(decodedHref, "temp") && !isProxy) { + callServerError(403); + serverconsole.errmessage("Access to temporary folder is denied."); + return; + } else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !configJSON.enableRemoteLogBrowsing) { callServerError(403); serverconsole.errmessage("Access to log files is denied."); return; @@ -5498,7 +5501,7 @@ function saveConfig() { if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false; if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]"; if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false; - if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true; + if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = false; if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true; if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true; if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true; @@ -5514,7 +5517,7 @@ function saveConfig() { if (configJSONobj.errorPages === undefined) configJSONobj.errorPages = []; if (configJSONobj.useWebRootServerSideScript === undefined) configJSONobj.useWebRootServerSideScript = true; if (configJSONobj.exposeModsInErrorPages === undefined) configJSONobj.exposeModsInErrorPages = true; - + var configString = JSON.stringify(configJSONobj, null, 2); fs.writeFileSync(__dirname + "/config.json", configString); break;