Fix possible line-ending issues for init note

By uploading a malicous note currently it is possible to prevent this
note from being edited. This happens when using Windows line endings.

With this commit we remove all `\r` characters from the notes and this
way prevent this problem.

Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
This commit is contained in:
Sheogorath 2018-06-24 00:32:41 +02:00
parent 7c7cc289f2
commit b7b621822c
No known key found for this signature in database
GPG Key ID: 1F05CC3635CDDFFD
1 changed files with 3 additions and 1 deletions

View File

@ -145,6 +145,8 @@ function responseHackMD (res, note) {
function newNote (req, res, next) { function newNote (req, res, next) {
var owner = null var owner = null
var body = req.body ? req.body : ''
body = body.replace(/[\r]/g, '')
if (req.isAuthenticated()) { if (req.isAuthenticated()) {
owner = req.user.id owner = req.user.id
} else if (!config.allowAnonymous) { } else if (!config.allowAnonymous) {
@ -153,7 +155,7 @@ function newNote (req, res, next) {
models.Note.create({ models.Note.create({
ownerId: owner, ownerId: owner,
alias: req.alias ? req.alias : null, alias: req.alias ? req.alias : null,
content: req.body ? req.body : '' content: body
}).then(function (note) { }).then(function (note) {
return res.redirect(config.serverURL + '/' + models.Note.encodeNoteId(note.id)) return res.redirect(config.serverURL + '/' + models.Note.encodeNoteId(note.id))
}).catch(function (err) { }).catch(function (err) {