From b7b621822c518f659f775343332945bc545cb094 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Sun, 24 Jun 2018 00:32:41 +0200 Subject: Fix possible line-ending issues for init note By uploading a malicous note currently it is possible to prevent this note from being edited. This happens when using Windows line endings. With this commit we remove all `\r` characters from the notes and this way prevent this problem. Signed-off-by: Sheogorath --- lib/response.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib') diff --git a/lib/response.js b/lib/response.js index 4cfa9a74..335f1000 100644 --- a/lib/response.js +++ b/lib/response.js @@ -145,6 +145,8 @@ function responseHackMD (res, note) { function newNote (req, res, next) { var owner = null + var body = req.body ? req.body : '' + body = body.replace(/[\r]/g, '') if (req.isAuthenticated()) { owner = req.user.id } else if (!config.allowAnonymous) { @@ -153,7 +155,7 @@ function newNote (req, res, next) { models.Note.create({ ownerId: owner, alias: req.alias ? req.alias : null, - content: req.body ? req.body : '' + content: body }).then(function (note) { return res.redirect(config.serverURL + '/' + models.Note.encodeNoteId(note.id)) }).catch(function (err) { -- cgit v1.2.3