From a94c6d748a6e2217f2bddd98e91956c177f23a63 Mon Sep 17 00:00:00 2001 From: FHV Date: Tue, 4 Apr 2017 10:38:41 -0400 Subject: [PATCH 1/2] Add escaping for bad platform string. --- lib/nuts.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/nuts.js b/lib/nuts.js index 1642158b..ae094564 100644 --- a/lib/nuts.js +++ b/lib/nuts.js @@ -186,7 +186,7 @@ Nuts.prototype.onDownload = function(req, res, next) { }); } - if (!asset) throw new Error("No download available for platform "+platform+" for version "+version.tag+" ("+(channel || "beta")+")"); + if (!asset) throw new Error("No download available for platform "+_.escape(platform)+" for version "+version.tag+" ("+(channel || "beta")+")"); // Call analytic middleware, then serve return that.serveAsset(req, res, version, asset); @@ -202,7 +202,7 @@ Nuts.prototype.onUpdateRedirect = function(req, res, next) { if (!req.query.version) throw new Error('Requires "version" parameter'); if (!req.query.platform) throw new Error('Requires "platform" parameter'); - return res.redirect('/update/'+req.query.platform+'/'+req.query.version); + return res.redirect('/update/'+_.escape(req.query.platform)+'/'+req.query.version); }) .fail(next); }; From f37116ae13a2711cb1a0671fc11f1e0c3822a59b Mon Sep 17 00:00:00 2001 From: Oskar Gewalli Date: Mon, 11 Dec 2017 13:18:24 +0100 Subject: [PATCH 2/2] Update nuts.js --- lib/nuts.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nuts.js b/lib/nuts.js index d954f6a9..645e2abb 100644 --- a/lib/nuts.js +++ b/lib/nuts.js @@ -215,7 +215,7 @@ Nuts.prototype.onUpdateRedirect = function(req, res, next) { if (!req.query.version) throw new Error('Requires "version" parameter'); if (!req.query.platform) throw new Error('Requires "platform" parameter'); - return res.redirect('/update/'+_.escape(req.query.platform)+'/'+req.query.version); + return res.redirect('/update/'+_.escape(req.query.platform)+'/'+_.escape(req.query.version)); }) .fail(next); };