Mirrors/audiobookshelf
Mirrors/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-01-08 00:08:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix:Static ebook route

Browse Source
This commit is contained in:
advplyr 2023-05-28 08:39:41 -05:00
parent ca5f781531
commit 056da0ef70
1 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
server/Server.js
View File

@ -11,6 +11,7 @@ const { version } = require('../package.json')
const dbMigration = require('./utils/dbMigration')
const filePerms = require('./utils/filePerms')
const fileUtils = require('./utils/fileUtils')
const globals = require('./utils/globals')
const Logger = require('./Logger')
const Auth = require('./Auth')
@ -170,7 +171,23 @@ class Server {
const folder = library.folders.find(fol => fol.id === req.params.folder)
if (!folder) return res.status(404).send('Folder not found')
const remainingPath = req.params['0']
// Replace backslashes with forward slashes
const remainingPath = req.params['0'].replace(/\\/g, '/')
// Prevent path traversal
// e.g. ../../etc/passwd
if (/\/?\.?\.\//.test(remainingPath)) {
Logger.error(`[Server] Invalid path to get ebook "${remainingPath}"`)
return res.sendStatus(403)
}
// Check file ext is a valid ebook file
const filext = (Path.extname(remainingPath) || '').slice(1).toLowerCase()
if (!globals.SupportedEbookTypes.includes(filext)) {
Logger.error(`[Server] Invalid ebook file ext requested "${remainingPath}"`)
return res.sendStatus(403)
}
const fullPath = Path.join(folder.fullPath, remainingPath)
res.sendFile(fullPath)
})