1
0
Fork 0
forked from svrjs/svrjs

Mitigiate source-code leakage through hidden files in temp folder. Also change default enableRemoteLogBrowsing to false.

This commit is contained in:
Dorian Niemiec 2023-09-09 00:36:24 +02:00
parent 6066f77fae
commit 53560a7bcd
3 changed files with 12 additions and 9 deletions

View file

@ -3,7 +3,7 @@
"port": 80,
"pubport": 80,
"page404": "404.html",
"timestamp": 1694196507492,
"timestamp": 1694212357224,
"blacklist": [],
"nonStandardCodes": [],
"enableCompression": true,
@ -14,7 +14,7 @@
"enableDirectoryListingWithDefaultHead": false,
"serverAdministratorEmail": "[no contact information]",
"stackHidden": false,
"enableRemoteLogBrowsing": true,
"enableRemoteLogBrowsing": false,
"exposeServerVersion": true,
"disableServerSideScriptExpose": true,
"rewriteMap": [

View file

@ -40,7 +40,7 @@
&nbsp;&nbsp;"enableDirectoryListingWithDefaultHead": false,<br/>
&nbsp;&nbsp;"serverAdministratorEmail": "[no contact information]",<br/>
&nbsp;&nbsp;"stackHidden": false,<br/>
&nbsp;&nbsp;"enableRemoteLogBrowsing": true,<br/>
&nbsp;&nbsp;"enableRemoteLogBrowsing": false,<br/>
&nbsp;&nbsp;"exposeServerVersion": true,<br/>
&nbsp;&nbsp;"disableServerSideScriptExpose": true,<br/>
&nbsp;&nbsp;"rewriteMap": [<br/>

11
svr.js
View file

@ -1793,11 +1793,10 @@ if (useWebRootServerSideScript) {
} else {
forbiddenPaths.serverSideScripts.push(getInitializePath("./serverSideScript.js"));
}
forbiddenPaths.serverSideScripts.push(getInitializePath("./temp/serverSideScript.js"));
forbiddenPaths.serverSideScriptDirectories = [];
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./temp/modloader"));
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./node_modules"));
forbiddenPaths.serverSideScriptDirectories.push(getInitializePath("./mods"));
forbiddenPaths.temp = getInitializePath("./temp");
forbiddenPaths.log = getInitializePath("./log");
// Create server
@ -4283,7 +4282,11 @@ if (!cluster.isPrimary) {
callServerError(403);
serverconsole.errmessage("Access to configuration file/certificates is denied.");
return;
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !(configJSON.enableRemoteLogBrowsing || configJSON.enableRemoteLogBrowsing == undefined)) {
} else if (isForbiddenPath(decodedHref, "temp") && !isProxy) {
callServerError(403);
serverconsole.errmessage("Access to temporary folder is denied.");
return;
} else if (isIndexOfForbiddenPath(decodedHref, "log") && !isProxy && (configJSON.enableLogging || configJSON.enableLogging == undefined) && !configJSON.enableRemoteLogBrowsing) {
callServerError(403);
serverconsole.errmessage("Access to log files is denied.");
return;
@ -5498,7 +5501,7 @@ function saveConfig() {
if (configJSONobj.enableDirectoryListingWithDefaultHead === undefined) configJSONobj.enableDirectoryListingWithDefaultHead = false;
if (configJSONobj.serverAdministratorEmail === undefined) configJSONobj.serverAdministratorEmail = "[no contact information]";
if (configJSONobj.stackHidden === undefined) configJSONobj.stackHidden = false;
if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = true;
if (configJSONobj.enableRemoteLogBrowsing === undefined) configJSONobj.enableRemoteLogBrowsing = false;
if (configJSONobj.exposeServerVersion === undefined) configJSONobj.exposeServerVersion = true;
if (configJSONobj.disableServerSideScriptExpose === undefined) configJSONobj.disableServerSideScriptExpose = true;
if (configJSONobj.allowStatus === undefined) configJSONobj.allowStatus = true;