chore: safe base64 decode ipa name

pkg/utils/hash.go

@@ -3,7 +3,9 @@ package utils
 import (
 	"crypto/md5"
 	"crypto/sha1"
+	"encoding/base64"
 	"encoding/hex"
+	"strings"
 )
 
 func GetSHA1Encode(data string) string {
@@ -17,3 +19,20 @@ func GetMD5Encode(data string) string {
 	h.Write([]byte(data))
 	return hex.EncodeToString(h.Sum(nil))
 }
+
+var DEC = map[string]string{
+	"-": "+",
+	"_": "/",
+	".": "=",
+}
+
+func SafeAtob(data string) (string, error) {
+	for k, v := range DEC {
+		data = strings.ReplaceAll(data, k, v)
+	}
+	bytes, err := base64.StdEncoding.DecodeString(data)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes), err
+}

server/handles/helper.go

@@ -1,13 +1,13 @@
 package handles
 
 import (
-	"encoding/base64"
 	"fmt"
 	"net/url"
 	"strings"
 
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 )
@@ -16,30 +16,26 @@ func Favicon(c *gin.Context) {
 	c.Redirect(302, setting.GetStr(conf.Favicon))
 }
 
-var DEC = map[string]string{
-	"-": "+",
-	"_": "/",
-	".": "=",
-}
-
 func Plist(c *gin.Context) {
 	link := c.Param("link")
-	for k, v := range DEC {
+	u, err := utils.SafeAtob(link)
-		link = strings.ReplaceAll(link, k, v)
-	}
-	u, err := base64.StdEncoding.DecodeString(link)
 	if err != nil {
-		common.ErrorResp(c, err, 500)
+		common.ErrorResp(c, err, 400)
 		return
 	}
-	uUrl, err := url.Parse(string(u))
+	uUrl, err := url.Parse(u)
 	if err != nil {
-		common.ErrorResp(c, err, 500)
+		common.ErrorResp(c, err, 400)
 		return
 	}
 	fullName := c.Param("name")
 	Url := uUrl.String()
 	fullName = strings.TrimSuffix(fullName, ".plist")
+	fullName, err = utils.SafeAtob(fullName)
+	if err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
 	name := fullName
 	identifier := fmt.Sprintf("ci.nn.%s", url.PathEscape(fullName))
 	sep := "@"