From 7dfdad02f56b1f6dc76c717e21fcdd651560c81a Mon Sep 17 00:00:00 2001
From: Henry Oswald <henry.oswald@sharelatex.com>
Date: Tue, 12 May 2015 15:17:18 +0100
Subject: [PATCH] change regex checking file request ensure other files can not
 be accessed

---
 .../clsi/app/coffee/StaticServerForbidSymlinks.coffee |  4 ++--
 .../coffee/StaticServerForbidSymlinksTests.coffee     | 11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee b/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee
index 348eccab0a..83ca4ca703 100644
--- a/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee
+++ b/services/clsi/app/coffee/StaticServerForbidSymlinks.coffee
@@ -9,8 +9,8 @@ module.exports = ForbidSymlinks = (staticFn, root, options) ->
 	basePath = Path.resolve(root)
 	return (req, res, next) ->
 		path = url.parse(req.url)?.pathname
-		# check that the path is of the form /project_id/path/to/file
-		if result = path.match(/^\/?(\w+)\/(.*)/)
+		# check that the path is of the form /project_id_or_name/path/to/file.log
+		if result = path.match(/^\/?([a-zA-Z0-9_-]+)\/(.*)/)
 			project_id = result[1]
 			file = result[2]
 		else
diff --git a/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee b/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee
index e6b7f5f925..4a87d64207 100644
--- a/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee
+++ b/services/clsi/test/unit/coffee/StaticServerForbidSymlinksTests.coffee
@@ -134,6 +134,17 @@ describe "StaticServerForbidSymlinks", ->
 				done()
 			@StaticServerForbidSymlinks @req, @res
 
+	describe "with a github style path", ->
+		beforeEach ->
+			@req.url = "/henryoswald-latex_example/output/output.log"
+			@fs.realpath = sinon.stub().callsArgWith(1, null, "#{@settings.path.compilesDir}/henryoswald-latex_example/output/output.log")
+
+		it "should call next", (done)->
+			@res.sendStatus = (resCode)->
+				resCode.should.equal 200
+				done()
+			@StaticServerForbidSymlinks @req, @res, done
+
 	describe "with an error from fs.realpath", ->
 
 		beforeEach ->