Fixed "broken access control" (it hid configuration files, but it returned 200 OK instead of 403 Forbidden)

2023-11-23 03:48:46 +01:00 · 2023-11-23 03:48:46 +01:00 · d86d190f0b
commit d86d190f0b
parent cae1d77e4f
1 changed files with 17 additions and 3 deletions
--- a/index.js
+++ b/index.js
@ -594,13 +594,27 @@ Mod.prototype.callback = function (req, res, serverconsole, responseEnd, href, e
      });
    } else if ((href == "/redbrick-interpreters.json" || href == "/redbrick-scriptexts.json" || (os.platform() == "win32" && (href.toLowerCase() == "/redbrick-interpreters.json" || href.toLowerCase() == "/redbrick-scriptexts.json"))) && path.normalize(__dirname + "/../../..") == process.cwd()) {
      if (!callServerError) {
-        res.writeHead(200, "OK", {
-          "Content-Type": "application/json",
+        res.writeHead(403, "Forbidden", {
+          "Content-Type": "text/html",
          "Server": "RedBrick/" + version
        });
+        res.write(
+            "<html><head><title>403 Forbidden</title></head><body><h1>403 Forbidden</h1><p>You don't have access to specific page.</p><p style=\"font-style: italic; font-weight: normal;\">SVR.JS " +
+                    configJSON.version +
+                    " (" +
+                    os.platform()[0].toUpperCase() +
+                    os.platform().slice(1) +
+                    "; Node.JS/" +
+                    process.version +
+                    ") RedBrick/" +
+                    version +
+                    " " +
+                    (req.headers.host == undefined ? "" : " on " + req.headers.host) +
+                    "</p></body></html>"
+            );
        res.end(JSON.stringify(exttointerpreteruser, null, 2));
      } else {
-        callServerError(200, "RedBrick/" + version, exttointerpreteruser);
+        callServerError(403, "RedBrick/" + version);
      }
    } else {
      elseCallback();