From 76d0720727b2261a0c7384eae3e6675f1b3ec1f9 Mon Sep 17 00:00:00 2001 From: zefie Date: Wed, 23 Nov 2022 23:45:48 -0500 Subject: [PATCH] fix security issue with favorites --- .../ServiceVault/wtv-favorite/commit-add-folder.js | 10 +++++----- zefie_wtvp_minisrv/includes/WTVFavorites.js | 10 +++++++++- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/zefie_wtvp_minisrv/ServiceVault/wtv-favorite/commit-add-folder.js b/zefie_wtvp_minisrv/ServiceVault/wtv-favorite/commit-add-folder.js index bb440e03..2a139bd8 100644 --- a/zefie_wtvp_minisrv/ServiceVault/wtv-favorite/commit-add-folder.js +++ b/zefie_wtvp_minisrv/ServiceVault/wtv-favorite/commit-add-folder.js @@ -14,17 +14,17 @@ if (foldername) { if (folder_array.length < minisrv_config.services[service_name].max_folders) { - //if (session_data.favstore.checkFolderName(foldername) == true) - //{ + if (session_data.favstore.checkFolderName(foldername) == true) + { session_data.favstore.createFolder(foldername); headers = `300 OK Connection: Keep-Alive Content-Type: text/html Location: wtv-favorite:/favorite wtv-expire-all: wtv-favorite:` - //} else { - // headers = `400 That folder name is not valid. Choose a different name and try again.` - //} + } else { + headers = `400 That folder name is not valid. Choose a different name and try again.` + } } else { headers = `400 You can only have ${minisrv_config.services[service_name].max_folders} folders at one time. Delete some folders and try again.` } diff --git a/zefie_wtvp_minisrv/includes/WTVFavorites.js b/zefie_wtvp_minisrv/includes/WTVFavorites.js index 74e72f03..20b536fe 100644 --- a/zefie_wtvp_minisrv/includes/WTVFavorites.js +++ b/zefie_wtvp_minisrv/includes/WTVFavorites.js @@ -73,7 +73,15 @@ class WTVFavorites { var store_dir = this.favstore_dir + folder_dir; } return store_dir; - } + } + + + checkFolderName(foldername) { + var regex_str = "^([A-Za-z0-9\-\_]{1,}$"; + var regex = new RegExp(regex_str); + return regex.test(foldername); + } + createTemplateFolder(folder) { // create emply folder