Narrowed down conditions for CGI execution for security reasons

2023-08-30 17:34:56 +02:00 · 2023-08-30 17:34:56 +02:00 · 9381b3dec0
commit 9381b3dec0
parent b4de66359d
1 changed files with 11 additions and 7 deletions
--- a/index.js
+++ b/index.js
@ -56,14 +56,15 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e
        ".sh": ["bash"],
        ".ksh": ["ksh"],
        ".csh": ["csh"],
-        ".bat": ["cmd", "/c"],
-        ".cmd": ["cmd", "/c"],
-        ".vbs": ["cscript"],
-        ".jar": ["java"],
-        ".pyw": ["python"],
        ".rb": ["ruby"],
        ".php": ["php-cgi"]
      };
+      if(os.platform() == "win32") {
+        exttointerpreter[".exe"] = [];
+        exttointerpreter[".bat"] = ["cmd", "/c"];
+        exttointerpreter[".cmd"] = ["cmd", "/c"];
+        exttointerpreter[".vbs"] = ["cscript"];
+      }
      var exttointerpreteruser = {};
      fs.readFile(__dirname + "/../../../redbrick-interpreters.json", function (err, data) {
        if (!err) {
@ -115,7 +116,7 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e
                  return arg.replace(/"/g, "");
                });
                afterShebangCallback(args);
-              } else if (line.substr(0, 2) == "MZ" || line.substr(0, 4) == "\x7fELF") {
+              } else if (os.platform() != "win32" && line.substr(0, 4) == "\x7fELF") {
                afterShebangCallback("binary");
              } else {
                afterShebangCallback(false);
@ -146,7 +147,10 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e
            }
          } else {
            args = exttointerpreteruser[ext];
-            if (!args) {
+            if (args === null) {
+              elseCallback();
+              return;
+            } else if (!args) {
              args = exttointerpreter[ext];
              if (!args) {
                elseCallback();