From 4bd8d7eb91524cc936bc607f8291804689de35ea Mon Sep 17 00:00:00 2001 From: Daan Sprenkels Date: Tue, 13 Nov 2018 00:14:25 +0100 Subject: Disallow creation of robots.txt in freeurl Add a configuration setting to "hard"-disable creation of notes as set by the configuration value. This defaults to `['robots.txt', 'favicon.ico']`, because these files are often accidentally created by bots and browsers. This commit fixes #1052. Signed-off-by: Daan Sprenkels --- lib/config/default.js | 1 + lib/config/environment.js | 1 + lib/response.js | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/config/default.js b/lib/config/default.js index 15f11aaa..c04bda3c 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -31,6 +31,7 @@ module.exports = { allowAnonymous: true, allowAnonymousEdits: false, allowFreeURL: false, + forbiddenNoteIDs: ['robots.txt', 'favicon.ico', 'api'], defaultPermission: 'editable', dbURL: '', db: {}, diff --git a/lib/config/environment.js b/lib/config/environment.js index 0c7c9a4f..8526e3ee 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -27,6 +27,7 @@ module.exports = { allowAnonymous: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS), allowAnonymousEdits: toBooleanConfig(process.env.CMD_ALLOW_ANONYMOUS_EDITS), allowFreeURL: toBooleanConfig(process.env.CMD_ALLOW_FREEURL), + forbiddenNoteIDs: toArrayConfig(process.env.CMD_FORBIDDEN_NOTE_IDS), defaultPermission: process.env.CMD_DEFAULT_PERMISSION, dbURL: process.env.CMD_DB_URL, sessionSecret: process.env.CMD_SESSION_SECRET, diff --git a/lib/response.js b/lib/response.js index 671aa120..b94f473a 100644 --- a/lib/response.js +++ b/lib/response.js @@ -157,7 +157,7 @@ function findNote (req, res, callback, include) { include: include || null }).then(function (note) { if (!note) { - if (config.allowFreeURL && noteId) { + if (config.allowFreeURL && noteId && !config.forbiddenNoteIDs.includes(noteId)) { req.alias = noteId return newNote(req, res) } else { -- cgit v1.2.3