From cf01039b5390042f0171c7f119655353b45febb2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B6=B5=E6=9B=A6?= Date: Thu, 1 Aug 2024 00:46:18 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20=E5=A4=84=E7=90=86=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- xiaomusic/gate.py | 4 +++- xiaomusic/httpserver.py | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/xiaomusic/gate.py b/xiaomusic/gate.py index 8228def..2f2adcb 100644 --- a/xiaomusic/gate.py +++ b/xiaomusic/gate.py @@ -61,7 +61,9 @@ range_pattern = re.compile(r"bytes=(\d+)-(\d*)") @app.get("/music/{file_path:path}") async def music_file(request: Request, file_path: str): absolute_path = os.path.abspath(config.music_path) - absolute_file_path = os.path.join(absolute_path, file_path) + absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path)) + if not absolute_file_path.startswith(absolute_path): + raise HTTPException(status_code=404, detail="File not found") if not os.path.exists(absolute_file_path): raise HTTPException(status_code=404, detail="File not found") diff --git a/xiaomusic/httpserver.py b/xiaomusic/httpserver.py index 0383bc6..2d01e26 100644 --- a/xiaomusic/httpserver.py +++ b/xiaomusic/httpserver.py @@ -315,7 +315,9 @@ range_pattern = re.compile(r"bytes=(\d+)-(\d*)") @app.get("/music/{file_path:path}") async def music_file(request: Request, file_path: str): absolute_path = os.path.abspath(config.music_path) - absolute_file_path = os.path.join(absolute_path, file_path) + absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path)) + if not absolute_file_path.startswith(absolute_path): + raise HTTPException(status_code=404, detail="File not found") if not os.path.exists(absolute_file_path): raise HTTPException(status_code=404, detail="File not found")