From f121614daa6b0bfa38a2a9d49c1287e126b29b25 Mon Sep 17 00:00:00 2001
From: Jack Allnutt <jack@allnutt.eu>
Date: Tue, 18 Nov 2014 22:52:51 +0000
Subject: [PATCH] Only allow modules to be loaded from te directory specified
 in the config file

---
 server/modules.js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/server/modules.js b/server/modules.js
index 08f17f5..11c1b6a 100644
--- a/server/modules.js
+++ b/server/modules.js
@@ -1,5 +1,6 @@
 var events = require('events'),
     util = require('util'),
+    path = require('path'),
     _ = require('lodash'),
     EventPublisher = require('./plugininterface.js');
 
@@ -39,7 +40,12 @@ var registered_modules = [];
 
 function loadModule (module_file) {
     var module,
-        full_module_filename = global.config.module_dir + module_file;
+        full_module_filename = path.join(global.config.module_dir, module_file);
+
+    // Make sure that the module is contained in the proper module directory
+    if (full_module_filename.lastIndexOf(global.config.module_dir, 0) !== 0) {
+        return false;
+    }
 
     // Get an instance of the module and remove it from the cache
     try {
-- 
2.25.1