external/MeshCentral
1
0
Fork 0
mirror of https://github.com/Ylianst/MeshCentral.git synced 2025-03-09 15:40:18 +00:00
Code Issues Releases Wiki Activity

Extra argument validation.

Browse source
This commit is contained in:
Ylian Saint-Hilaire 2025-02-25 19:57:27 -08:00
parent fe2f12149d
commit f19ad6c664
2 changed files with 3 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
meshuser.js
View file

@ -928,7 +928,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
// Get a short file and send it back on the web socket
if (common.validateString(command.file, 1, 4096) == false) return;
const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
if (scpath == null) break;
if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
const filePath = parent.path.join(scpath, command.file);
fs.stat(filePath, function (err, stat) {
if ((err != null) || (stat == null) || (stat.size >= 204800)) return;
@ -943,7 +943,7 @@ module.exports.CreateMeshUser = function (parent, db, ws, req, args, domain, use
if (common.validateString(command.file, 1, 4096) == false) return;
if (typeof command.data != 'string') return;
const scpath = meshPathToRealPath(command.path, user); // This will also check access rights
if (scpath == null) break;
if ((scpath == null) || (command.file !== parent.path.basename(command.file))) break;
const filePath = parent.path.join(scpath, command.file);
var data = null;
try { data = Buffer.from(command.data, 'base64'); } catch (ex) { return; }