From be86169a8a8249ca59051eb5c06801088a99233e Mon Sep 17 00:00:00 2001 From: Scott Nonnenberg Date: Wed, 10 Apr 2019 12:17:40 -0700 Subject: [PATCH] Windows: Do our file filtration with case-insensitive checks --- app/protocol_filter.js | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/app/protocol_filter.js b/app/protocol_filter.js index d510831cb9..d1bc9d98db 100644 --- a/app/protocol_filter.js +++ b/app/protocol_filter.js @@ -25,27 +25,35 @@ function _createFileHandler({ userDataPath, installPath, isWindows }) { return (request, callback) => { // normalize() is primarily useful here for switching / to \ on windows const target = path.normalize(_urlToPath(request.url, { isWindows })); + // here we attempt to follow symlinks to the ultimate final path, reflective of what + // we do in main.js on userDataPath and installPath const realPath = fs.existsSync(target) ? fs.realpathSync(target) : target; + // finally we do case-insensitive checks on windows + const properCasing = isWindows ? realPath.toLowerCase() : realPath; - if (!path.isAbsolute(realPath)) { + if (!path.isAbsolute(properCasing)) { console.log( - `Warning: denying request to non-absolute path '${realPath}'` + `Warning: denying request to non-absolute path '${properCasing}'` ); return callback(); } if ( - !realPath.startsWith(userDataPath) && - !realPath.startsWith(installPath) + !properCasing.startsWith( + isWindows ? userDataPath.toLowerCase() : userDataPath + ) && + !properCasing.startsWith( + isWindows ? installPath.toLowerCase() : installPath + ) ) { console.log( - `Warning: denying request to path '${realPath}' (userDataPath: '${userDataPath}', installPath: '${installPath}')` + `Warning: denying request to path '${properCasing}' (userDataPath: '${userDataPath}', installPath: '${installPath}')` ); return callback(); } return callback({ - path: realPath, + path: properCasing, }); }; }