From 9381b3dec0913a9aa0eb0fcb136f165e0a2f7472 Mon Sep 17 00:00:00 2001 From: Dorian Niemiec Date: Wed, 30 Aug 2023 17:34:56 +0200 Subject: [PATCH] Narrowed down conditions for CGI execution for security reasons --- index.js | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/index.js b/index.js index a8338f4..9e021c2 100644 --- a/index.js +++ b/index.js @@ -56,14 +56,15 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e ".sh": ["bash"], ".ksh": ["ksh"], ".csh": ["csh"], - ".bat": ["cmd", "/c"], - ".cmd": ["cmd", "/c"], - ".vbs": ["cscript"], - ".jar": ["java"], - ".pyw": ["python"], ".rb": ["ruby"], ".php": ["php-cgi"] }; + if(os.platform() == "win32") { + exttointerpreter[".exe"] = []; + exttointerpreter[".bat"] = ["cmd", "/c"]; + exttointerpreter[".cmd"] = ["cmd", "/c"]; + exttointerpreter[".vbs"] = ["cscript"]; + } var exttointerpreteruser = {}; fs.readFile(__dirname + "/../../../redbrick-interpreters.json", function (err, data) { if (!err) { @@ -115,7 +116,7 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e return arg.replace(/"/g, ""); }); afterShebangCallback(args); - } else if (line.substr(0, 2) == "MZ" || line.substr(0, 4) == "\x7fELF") { + } else if (os.platform() != "win32" && line.substr(0, 4) == "\x7fELF") { afterShebangCallback("binary"); } else { afterShebangCallback(false); @@ -146,7 +147,10 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e } } else { args = exttointerpreteruser[ext]; - if (!args) { + if (args === null) { + elseCallback(); + return; + } else if (!args) { args = exttointerpreter[ext]; if (!args) { elseCallback();