forked from svrjs/svrjs
Mitigiate source-code leakage through hidden files in temp folder. Also change default enableRemoteLogBrowsing to false.
This commit is contained in:
parent
6066f77fae
commit
53560a7bcd
3 changed files with 12 additions and 9 deletions
|
@ -3,7 +3,7 @@
|
|||
"port": 80,
|
||||
"pubport": 80,
|
||||
"page404": "404.html",
|
||||
"timestamp": 1694196507492,
|
||||
"timestamp": 1694212357224,
|
||||
"blacklist": [],
|
||||
"nonStandardCodes": [],
|
||||
"enableCompression": true,
|
||||
|
@ -14,7 +14,7 @@
|
|||
"enableDirectoryListingWithDefaultHead": false,
|
||||
"serverAdministratorEmail": "[no contact information]",
|
||||
"stackHidden": false,
|
||||
"enableRemoteLogBrowsing": true,
|
||||
"enableRemoteLogBrowsing": false,
|
||||
"exposeServerVersion": true,
|
||||
"disableServerSideScriptExpose": true,
|
||||
"rewriteMap": [
|
||||
|
|
|
@ -40,7 +40,7 @@
|
|||
"enableDirectoryListingWithDefaultHead": false,<br/>
|
||||
"serverAdministratorEmail": "[no contact information]",<br/>
|
||||
"stackHidden": false,<br/>
|
||||
"enableRemoteLogBrowsing": true,<br/>
|
||||
"enableRemoteLogBrowsing": false,<br/>
|
||||
"exposeServerVersion": true,<br/>
|
||||
"disableServerSideScriptExpose": true,<br/>
|
||||
"rewriteMap": [<br/>
|
||||
|
|
11
svr.js
11
svr.js
|
@ -1793,11 +1793,10 @@ if (useWebRootServerSideScript) {
|
|||
} else {
|
||||
forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js"));
|
||||
}
|
||||
forbiddenPaths.serverSideScripts.push(getInitializePath("./temp/serverSideScript.js"));
|
||||
forbiddenPaths.serverSideScriptDirectories = [];
|
||||
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./temp/modloader"));
|
||||
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules"));
|
||||
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
|
||||
forbiddenPaths.temp = getInitializePath("./temp");
|
||||
forbiddenPaths.log = getInitializePath("./log");
|
||||
|
||||
// Create server
|
||||
|
@ -4283,7 +4282,11 @@ if (!cluster.isPrimary) {
|
|||
callServerError(403);
|
||||
serverconsole.errmessage("Access to configuration file/certificates is denied.");
|
||||
return;
|
||||
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !(configJSON.enableRemoteLogBrowsing || configJSON.enableRemoteLogBrowsing == undefined)) {
|
||||
} else if (isForbiddenPath(decodedHref, "temp") && !isProxy) {
|
||||
callServerError(403);
|
||||
serverconsole.errmessage("Access to temporary folder is denied.");
|
||||
return;
|
||||
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !configJSON.enableRemoteLogBrowsing) {
|
||||
callServerError(403);
|
||||
serverconsole.errmessage("Access to log files is denied.");
|
||||
return;
|
||||
|
@ -5498,7 +5501,7 @@ function saveConfig() {
|
|||
if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false;
|
||||
if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]";
|
||||
if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false;
|
||||
if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true;
|
||||
if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = false;
|
||||
if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true;
|
||||
if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true;
|
||||
if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true;
|
||||
|
|
Reference in a new issue