fix: 处理安全问题
This commit is contained in:
涵曦
parent
a8fefc6f82
commit
cf01039b53
@ -61,7 +61,9 @@ range_pattern = re.compile(r"bytes=(\d+)-(\d*)")
|
|||||||
@app.get("/music/{file_path:path}")
|
@app.get("/music/{file_path:path}")
|
||||||
async def music_file(request: Request, file_path: str):
|
async def music_file(request: Request, file_path: str):
|
||||||
absolute_path = os.path.abspath(config.music_path)
|
absolute_path = os.path.abspath(config.music_path)
|
||||||
absolute_file_path = os.path.join(absolute_path, file_path)
|
absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
|
||||||
|
if not absolute_file_path.startswith(absolute_path):
|
||||||
|
raise HTTPException(status_code=404, detail="File not found")
|
||||||
if not os.path.exists(absolute_file_path):
|
if not os.path.exists(absolute_file_path):
|
||||||
raise HTTPException(status_code=404, detail="File not found")
|
raise HTTPException(status_code=404, detail="File not found")
|
||||||
|
|
||||||
|
|||||||
@ -315,7 +315,9 @@ range_pattern = re.compile(r"bytes=(\d+)-(\d*)")
|
|||||||
@app.get("/music/{file_path:path}")
|
@app.get("/music/{file_path:path}")
|
||||||
async def music_file(request: Request, file_path: str):
|
async def music_file(request: Request, file_path: str):
|
||||||
absolute_path = os.path.abspath(config.music_path)
|
absolute_path = os.path.abspath(config.music_path)
|
||||||
absolute_file_path = os.path.join(absolute_path, file_path)
|
absolute_file_path = os.path.normpath(os.path.join(absolute_path, file_path))
|
||||||
|
if not absolute_file_path.startswith(absolute_path):
|
||||||
|
raise HTTPException(status_code=404, detail="File not found")
|
||||||
if not os.path.exists(absolute_file_path):
|
if not os.path.exists(absolute_file_path):
|
||||||
raise HTTPException(status_code=404, detail="File not found")
|
raise HTTPException(status_code=404, detail="File not found")
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user