padurlsanitize: Don't crash if `sanitizePadId()` throws

Let Express send a 500 status code to the user instead.

Co-authored-by: Richard Hansen <rhansen@rhansen.org>
pull/5106/head
webzwo0i 2021-07-05 06:12:02 +02:00 committed by Richard Hansen
parent 4733c7d8d3
commit 8b73f2ee70
2 changed files with 20 additions and 16 deletions

View File

@ -15,6 +15,7 @@
from the database when the group is deleted.
* Fixed race conditions in the `setText`, `appendText`, and `restoreRevision`
functions (HTTP API).
* Fixed a crash if the database is busy enough to cause a query timeout.
#### For plugin authors

View File

@ -4,7 +4,8 @@ const padManager = require('../../db/PadManager');
exports.expressCreateServer = (hookName, args, cb) => {
// redirects browser to the pad's sanitized url if needed. otherwise, renders the html
args.app.param('pad', async (req, res, next, padId) => {
args.app.param('pad', (req, res, next, padId) => {
(async () => {
// ensure the padname is valid and the url doesn't end with a /
if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) {
res.status(404).send('Such a padname is forbidden');
@ -18,10 +19,12 @@ exports.expressCreateServer = (hookName, args, cb) => {
next();
} else {
// the pad id was sanitized, so we redirect to the sanitized version
const realURL = encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search;
const realURL =
encodeURIComponent(sanitizedPadId) + new URL(req.url, 'http://invalid.invalid').search;
res.header('Location', realURL);
res.status(302).send(`You should be redirected to <a href="${realURL}">${realURL}</a>`);
}
})().catch((err) => next(err || new Error(err)));
});
return cb();
};