github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity

🔒 fix #645 xss vulnerability

pull/659/head
Xhofe 2022-03-01 20:09:25 +08:00
parent 5193b2aa7d
commit 6af17e2509
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
server/controllers/other.go
View File

@ -7,6 +7,7 @@ import (
"github.com/Xhofe/alist/server/common" "github.com/Xhofe/alist/server/common"
"github.com/Xhofe/alist/utils" "github.com/Xhofe/alist/utils"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"net/url"
"strings" "strings"
) )
@ -24,11 +25,19 @@ func Plist(c *gin.Context) {
return return
} }
u := string(bytes) u := string(bytes)
uUrl, err := url.Parse(u)
if err != nil {
common.ErrorResp(c, err, 500)
return
}
name := utils.Base(u) name := utils.Base(u)
u = uUrl.String()
ipaIndex := strings.Index(name, ".ipa") ipaIndex := strings.Index(name, ".ipa")
if ipaIndex != -1 { if ipaIndex != -1 {
name = name[:ipaIndex] name = name[:ipaIndex]
} }
name = strings.ReplaceAll(name, "<", "[")
name = strings.ReplaceAll(name, ">", "]")
plist := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> plist := fmt.Sprintf(`<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"> <plist version="1.0">
<dict> <dict>