From 5c7d96b469c35f06e0d51324c6e867c61b451bdd Mon Sep 17 00:00:00 2001
From: Peter 'Pita' Martischka <petermartischka@googlemail.com>
Date: Thu, 30 Jun 2011 12:40:31 +0100
Subject: [PATCH] check pad urls before serving it

---
 node/server.js | 27 +++++++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/node/server.js b/node/server.js
index 0166de448..108f7a677 100644
--- a/node/server.js
+++ b/node/server.js
@@ -75,16 +75,30 @@ async.waterfall([
     });
     
     //serve pad.html under /p
-    app.get('/p/:pad', function(req, res)
+    app.get('/p/:pad', function(req, res, next)
     {
+      //ensure the padname is valid and the url doesn't end with a /
+      if(!isValidPadname(req.params.pad) || /\/$/.test(req.url))
+      {
+        next();
+        return;
+      }
+      
       res.header("Server", serverName);
       var filePath = path.normalize(__dirname + "/../static/pad.html");
       res.sendfile(filePath);
     });
     
     //serve timeslider.html under /p/$padname/timeslider
-    app.get('/p/:pad/timeslider', function(req, res)
+    app.get('/p/:pad/timeslider', function(req, res, next)
     {
+      //ensure the padname is valid and the url doesn't end with a /
+      if(!isValidPadname(req.params.pad) || /\/$/.test(req.url))
+      {
+        next();
+        return;
+      }
+      
       res.header("Server", serverName);
       var filePath = path.normalize(__dirname + "/../static/timeslider.html");
       res.sendfile(filePath);
@@ -132,3 +146,12 @@ async.waterfall([
     callback(null);  
   }
 ]);
+
+function isValidPadname(padname)
+{
+  //ensure there is no dollar sign in the pad name
+  if(padname.indexOf("$")!=-1)
+    return false;
+  
+  return true;
+}