fix!: sign with the raw path instead of filename (#2258)

2022-11-11 16:24:25 +08:00 · 2022-11-11 16:24:25 +08:00 · 00de9bf16d
parent 1743110a70
commit 00de9bf16d
6 changed files with 15 additions and 16 deletions
--- a/server/common/sign.go
+++ b/server/common/sign.go
@ -3,11 +3,12 @@ package common
 import (
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/sign"
+	stdpath "path"
 )

-func Sign(obj model.Obj, encrypt bool) string {
+func Sign(obj model.Obj, parent string, encrypt bool) string {
 	if obj.IsDir() || !encrypt {
 		return ""
 	}
-	return sign.Sign(obj.GetName())
+	return sign.Sign(stdpath.Join(parent, obj.GetName()))
 }
--- a/server/handles/down.go
+++ b/server/handles/down.go
@ -58,7 +58,7 @@ func Proxy(c *gin.Context) {
 				URL := fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(downProxyUrl, "\n")[0],
 					utils.EncodePath(rawPath, true),
-					sign.Sign(filename))
+					sign.Sign(rawPath))
 				c.Redirect(302, URL)
 				return
 			}
--- a/server/handles/fsmanage.go
+++ b/server/handles/fsmanage.go
@ -203,8 +203,8 @@ func Link(c *gin.Context) {
 		common.SuccessResp(c, model.Link{
 			URL: fmt.Sprintf("%s/p%s?d&sign=%s",
 				common.GetApiUrl(c.Request),
-				utils.EncodePath(req.Path, true),
-				sign.Sign(stdpath.Base(rawPath))),
+				utils.EncodePath(rawPath, true),
+				sign.Sign(rawPath)),
 		})
 		return
 	}
--- a/server/handles/fsread.go
+++ b/server/handles/fsread.go
@ -86,7 +86,7 @@ func FsList(c *gin.Context) {
 		provider = storage.GetStorage().Driver
 	}
 	common.SuccessResp(c, FsListResp{
-		Content:  toObjResp(objs, isEncrypt(meta, req.Path)),
+		Content:  toObjResp(objs, req.Path, isEncrypt(meta, req.Path)),
 		Total:    int64(total),
 		Readme:   getReadme(meta, req.Path),
 		Write:    user.CanWrite() || canWrite(meta, req.Path),
@ -196,7 +196,7 @@ func pagination(objs []model.Obj, req *common.PageReq) (int, []model.Obj) {
 	return total, objs[start:end]
 }

-func toObjResp(objs []model.Obj, encrypt bool) []ObjResp {
+func toObjResp(objs []model.Obj, parent string, encrypt bool) []ObjResp {
 	var resp []ObjResp
 	for _, obj := range objs {
 		thumb := ""
@ -212,7 +212,7 @@ func toObjResp(objs []model.Obj, encrypt bool) []ObjResp {
 			Size:     obj.GetSize(),
 			IsDir:    obj.IsDir(),
 			Modified: obj.ModTime(),
-			Sign:     common.Sign(obj, encrypt),
+			Sign:     common.Sign(obj, parent, encrypt),
 			Thumb:    thumb,
 			Type:     tp,
 		})
@ -275,12 +275,12 @@ func FsGet(c *gin.Context) {
 				rawURL = fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0],
 					utils.EncodePath(req.Path, true),
-					sign.Sign(obj.GetName()))
+					sign.Sign(req.Path))
 			} else {
 				rawURL = fmt.Sprintf("%s/p%s?sign=%s",
 					common.GetApiUrl(c.Request),
 					utils.EncodePath(req.Path, true),
-					sign.Sign(obj.GetName()))
+					sign.Sign(req.Path))
 			}
 		} else {
 			// file have raw url
@ -310,13 +310,13 @@ func FsGet(c *gin.Context) {
 			Size:     obj.GetSize(),
 			IsDir:    obj.IsDir(),
 			Modified: obj.ModTime(),
-			Sign:     common.Sign(obj, isEncrypt(meta, req.Path)),
+			Sign:     common.Sign(obj, parentPath, isEncrypt(meta, req.Path)),
 			Type:     utils.GetFileType(obj.GetName()),
 		},
 		RawURL:   rawURL,
 		Readme:   getReadme(meta, req.Path),
 		Provider: provider,
-		Related:  toObjResp(related, isEncrypt(parentMeta, parentPath)),
+		Related:  toObjResp(related, parentPath, isEncrypt(parentMeta, parentPath)),
 	})
 }

--- a/server/middlewares/down.go
+++ b/server/middlewares/down.go
@ -1,7 +1,6 @@
 package middlewares

 import (
-	stdpath "path"
 	"strings"

 	"github.com/alist-org/alist/v3/internal/db"
@ -17,7 +16,6 @@ import (
 func Down(c *gin.Context) {
 	rawPath := parsePath(c.Param("path"))
 	c.Set("path", rawPath)
-	filename := stdpath.Base(rawPath)
 	meta, err := db.GetNearestMeta(rawPath)
 	if err != nil {
 		if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@ -29,7 +27,7 @@ func Down(c *gin.Context) {
 	// verify sign
 	if needSign(meta, rawPath) {
 		s := c.Query("sign")
-		err = sign.Verify(filename, strings.TrimSuffix(s, "/"))
+		err = sign.Verify(rawPath, strings.TrimSuffix(s, "/"))
 		if err != nil {
 			common.ErrorResp(c, err, 401)
 			c.Abort()
--- a/server/webdav/webdav.go
+++ b/server/webdav/webdav.go
@ -231,7 +231,7 @@ func (h *Handler) handleGetHeadPost(w http.ResponseWriter, r *http.Request) (sta
 		u := fmt.Sprintf("%s/p%s?sign=%s",
 			common.GetApiUrl(r),
 			utils.EncodePath(reqPath, true),
-			sign.Sign(path.Base(reqPath)))
+			sign.Sign(reqPath))
 		w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate")
 		http.Redirect(w, r, u, 302)
 	} else {