|
|
|
|
@ -47,11 +47,12 @@ const is_allowed = path => allowed_paths.length === 0 || (path = normalize_path( |
|
|
|
|
|
|
|
|
|
http |
|
|
|
|
.createServer(async (req, res) => { |
|
|
|
|
const path = '.' + decodeURIComponent(req.url); |
|
|
|
|
if (req.method !== 'GET' && req.method !== 'HEAD') { |
|
|
|
|
send_error(res, 405, 'Method Not Allowed'); |
|
|
|
|
return; |
|
|
|
|
} |
|
|
|
|
const p = req.url.indexOf('?'); |
|
|
|
|
const path = '.' + decodeURIComponent(p > -1 ? req.url.slice(0, p) : req.url); |
|
|
|
|
if (!path.startsWith('./') || path.includes('/..') || path.includes('\\')) { |
|
|
|
|
send_error(res, 403, 'Forbidden'); |
|
|
|
|
return; |
|
|
|
|
|
