summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSheogorath2018-06-24 00:32:41 +0200
committerSheogorath2018-06-24 00:32:50 +0200
commitb7b621822c518f659f775343332945bc545cb094 (patch)
tree79cde31f6348815538395fbdc057f1d65bdd434d
parent7c7cc289f2c2b2e33a32ea32a6e97ea1410cc63e (diff)
Fix possible line-ending issues for init note
By uploading a malicous note currently it is possible to prevent this note from being edited. This happens when using Windows line endings. With this commit we remove all `\r` characters from the notes and this way prevent this problem. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
-rw-r--r--lib/response.js4
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/response.js b/lib/response.js
index 4cfa9a74..335f1000 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -145,6 +145,8 @@ function responseHackMD (res, note) {
function newNote (req, res, next) {
var owner = null
+ var body = req.body ? req.body : ''
+ body = body.replace(/[\r]/g, '')
if (req.isAuthenticated()) {
owner = req.user.id
} else if (!config.allowAnonymous) {
@@ -153,7 +155,7 @@ function newNote (req, res, next) {
models.Note.create({
ownerId: owner,
alias: req.alias ? req.alias : null,
- content: req.body ? req.body : ''
+ content: body
}).then(function (note) {
return res.redirect(config.serverURL + '/' + models.Note.encodeNoteId(note.id))
}).catch(function (err) {