github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity

🔒 not allowed access using relative path for native

pull/548/head
微凉 2022-01-27 14:54:20 +08:00
parent 26ce001782
commit b31a12a0cc
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/native/driver.go
View File

@ -1,6 +1,7 @@
package native package native
import ( import (
"errors"
"fmt" "fmt"
"github.com/Xhofe/alist/conf" "github.com/Xhofe/alist/conf"
"github.com/Xhofe/alist/drivers/base" "github.com/Xhofe/alist/drivers/base"
@ -58,6 +59,9 @@ func (driver Native) Save(account *model.Account, old *model.Account) error {
} }
func (driver Native) File(path string, account *model.Account) (*model.File, error) { func (driver Native) File(path string, account *model.Account) (*model.File, error) {
if utils.IsContain(strings.Split(path, "/"), "..") {
return nil, errors.New("access using relative path is not allowed")
}
fullPath := filepath.Join(account.RootFolder, path) fullPath := filepath.Join(account.RootFolder, path)
if !utils.Exists(fullPath) { if !utils.Exists(fullPath) {
return nil, base.ErrPathNotFound return nil, base.ErrPathNotFound