From d097211c545118ac13626e1b0a01390b08880ad7 Mon Sep 17 00:00:00 2001 From: Sheogorath Date: Mon, 23 Nov 2020 12:50:39 +0100 Subject: Fix unauthenticated file uploads This patch fixes the issue of unauthenticated users, being able to upload files, even when anonymous edits are disabled. It's implemented by blocking uploads when either `allowAnonymous` is set to `false` for all unauthenticated users, unless `allowAnonymousEdits` is set to true, to make sure anonymous editors still experience the full feature set. Signed-off-by: Christoph Kern --- lib/web/imageRouter/index.js | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib') diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index b5c486c3..f456fd30 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -23,6 +23,9 @@ imageRouter.post('/uploadimage', function (req, res) { if (err) { logger.error(`formidable error: ${err}`) return errors.errorForbidden(res) + } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { + logger.error(`formidable error: Anonymous edits and therefore uploads are not allowed)`) + return errors.errorForbidden(res) } else if (!files.image || !files.image.path) { logger.error(`formidable error: Upload didn't contain file)`) return errors.errorBadRequest(res) -- cgit v1.2.3