Infrastructure/verdaccio
0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2025-03-18 02:22:46 -05:00
Code Issues Activity

safeguard against bad tarball names

Browse source
This commit is contained in:
Alex Kocharin 2013-12-16 00:54:29 +04:00
parent 3abce5e2b6
commit 693aa576b4
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/local-storage.js
View file

@ -1,6 +1,7 @@
var fs = require('fs')
, Path = require('path')
, crypto = require('crypto')
, assert = require('assert')
, fs_storage = require('./local-fs')
, UError = require('./error').UserError
, utils = require('./utils')
@ -258,6 +259,7 @@ Storage.prototype.change_package = function(name, metadata, revision, callback)
Storage.prototype.remove_tarball = function(name, filename, revision, callback) {
var self = this
assert(utils.validate_name(filename))
self.update_package(name, function updater(data, cb) {
if (data._attachments[filename]) {
@ -276,6 +278,8 @@ Storage.prototype.remove_tarball = function(name, filename, revision, callback)
}
Storage.prototype.add_tarball = function(name, filename) {
assert(utils.validate_name(filename))
var stream = new mystreams.UploadTarballStream()
, _transform = stream._transform
, length = 0
@ -355,6 +359,8 @@ Storage.prototype.add_tarball = function(name, filename) {
}
Storage.prototype.get_tarball = function(name, filename, callback) {
assert(utils.validate_name(filename))
var stream = new mystreams.ReadTarballStream()
stream.abort = function() {
rstream.close()