fix: 处理安全问题

hanxi · Aug 1, 2024 · cf01039 · cf01039
1 parent a8fefc6
commit cf01039
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/xiaomusic/gate.py b/xiaomusic/gate.py
@@ -61,7 +61,9 @@ async def file_iterator(file_path, start, end):
 @app.get("/music/{file_path:path}")
 async def music_file(request: Request, file_path: str):
     absolute_path = os.path.abspath(config.music_path)
-    absolute_file_path = os.path.join(absolute_path, file_path)
+    absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
+    if not absolute_file_path.startswith(absolute_path):
+        raise HTTPException(status_code=404, detail="File not found")
     if not os.path.exists(absolute_file_path):
         raise HTTPException(status_code=404, detail="File not found")
 

diff --git a/xiaomusic/httpserver.py b/xiaomusic/httpserver.py
@@ -315,7 +315,9 @@ async def file_iterator(file_path, start, end):
 @app.get("/music/{file_path:path}")
 async def music_file(request: Request, file_path: str):
     absolute_path = os.path.abspath(config.music_path)
-    absolute_file_path = os.path.join(absolute_path, file_path)
+    absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
+    if not absolute_file_path.startswith(absolute_path):
+        raise HTTPException(status_code=404, detail="File not found")
     if not os.path.exists(absolute_file_path):
         raise HTTPException(status_code=404, detail="File not found")