github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity

fix!: sign with the raw path instead of filename (#2258)

pull/2338/head
Gerhard Tan 2022-11-11 16:24:25 +08:00 committed by GitHub
parent 1743110a70
commit 00de9bf16d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 15 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/common/sign.go
View File

@ -3,11 +3,12 @@ package common
import ( import (
"github.com/alist-org/alist/v3/internal/model" "github.com/alist-org/alist/v3/internal/model"
"github.com/alist-org/alist/v3/internal/sign" "github.com/alist-org/alist/v3/internal/sign"
stdpath "path"
) )
func Sign(obj model.Obj, encrypt bool) string { func Sign(obj model.Obj, parent string, encrypt bool) string {
if obj.IsDir() || !encrypt { if obj.IsDir() || !encrypt {
return "" return ""
} }
return sign.Sign(obj.GetName()) return sign.Sign(stdpath.Join(parent, obj.GetName()))
} }

2
server/handles/down.go
View File

@ -58,7 +58,7 @@ func Proxy(c *gin.Context) {
URL := fmt.Sprintf("%s%s?sign=%s", URL := fmt.Sprintf("%s%s?sign=%s",
strings.Split(downProxyUrl, "\n")[0], strings.Split(downProxyUrl, "\n")[0],
utils.EncodePath(rawPath, true), utils.EncodePath(rawPath, true),
sign.Sign(filename)) sign.Sign(rawPath))
c.Redirect(302, URL) c.Redirect(302, URL)
return return
} }

4
server/handles/fsmanage.go
View File

@ -203,8 +203,8 @@ func Link(c *gin.Context) {
common.SuccessResp(c, model.Link{ common.SuccessResp(c, model.Link{
URL: fmt.Sprintf("%s/p%s?d&sign=%s", URL: fmt.Sprintf("%s/p%s?d&sign=%s",
common.GetApiUrl(c.Request), common.GetApiUrl(c.Request),
utils.EncodePath(req.Path, true), utils.EncodePath(rawPath, true),
sign.Sign(stdpath.Base(rawPath))), sign.Sign(rawPath)),
}) })
return return
} }

14
server/handles/fsread.go
View File

@ -86,7 +86,7 @@ func FsList(c *gin.Context) {
provider = storage.GetStorage().Driver provider = storage.GetStorage().Driver
} }
common.SuccessResp(c, FsListResp{ common.SuccessResp(c, FsListResp{
Content: toObjResp(objs, isEncrypt(meta, req.Path)), Content: toObjResp(objs, req.Path, isEncrypt(meta, req.Path)),
Total: int64(total), Total: int64(total),
Readme: getReadme(meta, req.Path), Readme: getReadme(meta, req.Path),
Write: user.CanWrite() || canWrite(meta, req.Path), Write: user.CanWrite() || canWrite(meta, req.Path),
@ -196,7 +196,7 @@ func pagination(objs []model.Obj, req *common.PageReq) (int, []model.Obj) {
return total, objs[start:end] return total, objs[start:end]
} }
func toObjResp(objs []model.Obj, encrypt bool) []ObjResp { func toObjResp(objs []model.Obj, parent string, encrypt bool) []ObjResp {
var resp []ObjResp var resp []ObjResp
for _, obj := range objs { for _, obj := range objs {
thumb := "" thumb := ""
@ -212,7 +212,7 @@ func toObjResp(objs []model.Obj, encrypt bool) []ObjResp {
Size: obj.GetSize(), Size: obj.GetSize(),
IsDir: obj.IsDir(), IsDir: obj.IsDir(),
Modified: obj.ModTime(), Modified: obj.ModTime(),
Sign: common.Sign(obj, encrypt), Sign: common.Sign(obj, parent, encrypt),
Thumb: thumb, Thumb: thumb,
Type: tp, Type: tp,
}) })
@ -275,12 +275,12 @@ func FsGet(c *gin.Context) {
rawURL = fmt.Sprintf("%s%s?sign=%s", rawURL = fmt.Sprintf("%s%s?sign=%s",
strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0], strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0],
utils.EncodePath(req.Path, true), utils.EncodePath(req.Path, true),
sign.Sign(obj.GetName())) sign.Sign(req.Path))
} else { } else {
rawURL = fmt.Sprintf("%s/p%s?sign=%s", rawURL = fmt.Sprintf("%s/p%s?sign=%s",
common.GetApiUrl(c.Request), common.GetApiUrl(c.Request),
utils.EncodePath(req.Path, true), utils.EncodePath(req.Path, true),
sign.Sign(obj.GetName())) sign.Sign(req.Path))
} }
} else { } else {
// file have raw url // file have raw url
@ -310,13 +310,13 @@ func FsGet(c *gin.Context) {
Size: obj.GetSize(), Size: obj.GetSize(),
IsDir: obj.IsDir(), IsDir: obj.IsDir(),
Modified: obj.ModTime(), Modified: obj.ModTime(),
Sign: common.Sign(obj, isEncrypt(meta, req.Path)), Sign: common.Sign(obj, parentPath, isEncrypt(meta, req.Path)),
Type: utils.GetFileType(obj.GetName()), Type: utils.GetFileType(obj.GetName()),
}, },
RawURL: rawURL, RawURL: rawURL,
Readme: getReadme(meta, req.Path), Readme: getReadme(meta, req.Path),
Provider: provider, Provider: provider,
Related: toObjResp(related, isEncrypt(parentMeta, parentPath)), Related: toObjResp(related, parentPath, isEncrypt(parentMeta, parentPath)),
}) })
} }

4
server/middlewares/down.go
View File

@ -1,7 +1,6 @@
package middlewares package middlewares
import ( import (
stdpath "path"
"strings" "strings"
"github.com/alist-org/alist/v3/internal/db" "github.com/alist-org/alist/v3/internal/db"
@ -17,7 +16,6 @@ import (
func Down(c *gin.Context) { func Down(c *gin.Context) {
rawPath := parsePath(c.Param("path")) rawPath := parsePath(c.Param("path"))
c.Set("path", rawPath) c.Set("path", rawPath)
filename := stdpath.Base(rawPath)
meta, err := db.GetNearestMeta(rawPath) meta, err := db.GetNearestMeta(rawPath)
if err != nil { if err != nil {
if !errors.Is(errors.Cause(err), errs.MetaNotFound) { if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@ -29,7 +27,7 @@ func Down(c *gin.Context) {
// verify sign // verify sign
if needSign(meta, rawPath) { if needSign(meta, rawPath) {
s := c.Query("sign") s := c.Query("sign")
err = sign.Verify(filename, strings.TrimSuffix(s, "/")) err = sign.Verify(rawPath, strings.TrimSuffix(s, "/"))
if err != nil { if err != nil {
common.ErrorResp(c, err, 401) common.ErrorResp(c, err, 401)
c.Abort() c.Abort()

2
server/webdav/webdav.go
View File

@ -231,7 +231,7 @@ func (h *Handler) handleGetHeadPost(w http.ResponseWriter, r *http.Request) (sta
u := fmt.Sprintf("%s/p%s?sign=%s", u := fmt.Sprintf("%s/p%s?sign=%s",
common.GetApiUrl(r), common.GetApiUrl(r),
utils.EncodePath(reqPath, true), utils.EncodePath(reqPath, true),
sign.Sign(path.Base(reqPath))) sign.Sign(reqPath))
w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate") w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate")
http.Redirect(w, r, u, 302) http.Redirect(w, r, u, 302)
} else { } else {