github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity

🔒 not allowed use relative path of native

pull/548/head
微凉 2022-01-27 15:10:33 +08:00
parent 7390e19a7a
commit bf9aa5c3d3
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
drivers/base/types.go
View File

@ -12,6 +12,7 @@ var (
ErrNotSupport = errors.New("not support") ErrNotSupport = errors.New("not support")
ErrNotFolder = errors.New("not a folder") ErrNotFolder = errors.New("not a folder")
ErrEmptyFile = errors.New("empty file") ErrEmptyFile = errors.New("empty file")
ErrRelativePath = errors.New("access using relative path is not allowed")
) )
const ( const (

21
drivers/native/driver.go
View File

@ -1,7 +1,6 @@
package native package native
import ( import (
"errors"
"fmt" "fmt"
"github.com/Xhofe/alist/conf" "github.com/Xhofe/alist/conf"
"github.com/Xhofe/alist/drivers/base" "github.com/Xhofe/alist/drivers/base"
@ -60,7 +59,7 @@ func (driver Native) Save(account *model.Account, old *model.Account) error {
func (driver Native) File(path string, account *model.Account) (*model.File, error) { func (driver Native) File(path string, account *model.Account) (*model.File, error) {
if utils.IsContain(strings.Split(path, "/"), "..") { if utils.IsContain(strings.Split(path, "/"), "..") {
return nil, errors.New("access using relative path is not allowed") return nil, base.ErrRelativePath
} }
fullPath := filepath.Join(account.RootFolder, path) fullPath := filepath.Join(account.RootFolder, path)
if !utils.Exists(fullPath) { if !utils.Exists(fullPath) {
@ -86,6 +85,9 @@ func (driver Native) File(path string, account *model.Account) (*model.File, err
} }
func (driver Native) Files(path string, account *model.Account) ([]model.File, error) { func (driver Native) Files(path string, account *model.Account) ([]model.File, error) {
if utils.IsContain(strings.Split(path, "/"), "..") {
return nil, base.ErrRelativePath
}
fullPath := filepath.Join(account.RootFolder, path) fullPath := filepath.Join(account.RootFolder, path)
if !utils.Exists(fullPath) { if !utils.Exists(fullPath) {
return nil, base.ErrPathNotFound return nil, base.ErrPathNotFound
@ -163,12 +165,18 @@ func (driver Native) Preview(path string, account *model.Account) (interface{},
} }
func (driver Native) MakeDir(path string, account *model.Account) error { func (driver Native) MakeDir(path string, account *model.Account) error {
if utils.IsContain(strings.Split(path, "/"), "..") {
return base.ErrRelativePath
}
fullPath := filepath.Join(account.RootFolder, path) fullPath := filepath.Join(account.RootFolder, path)
err := os.MkdirAll(fullPath, 0700) err := os.MkdirAll(fullPath, 0700)
return err return err
} }
func (driver Native) Move(src string, dst string, account *model.Account) error { func (driver Native) Move(src string, dst string, account *model.Account) error {
if utils.IsContain(strings.Split(src+"/"+dst, "/"), "..") {
return base.ErrRelativePath
}
fullSrc := filepath.Join(account.RootFolder, src) fullSrc := filepath.Join(account.RootFolder, src)
fullDst := filepath.Join(account.RootFolder, dst) fullDst := filepath.Join(account.RootFolder, dst)
return os.Rename(fullSrc, fullDst) return os.Rename(fullSrc, fullDst)
@ -179,6 +187,9 @@ func (driver Native) Rename(src string, dst string, account *model.Account) erro
} }
func (driver Native) Copy(src string, dst string, account *model.Account) error { func (driver Native) Copy(src string, dst string, account *model.Account) error {
if utils.IsContain(strings.Split(src+"/"+dst, "/"), "..") {
return base.ErrRelativePath
}
fullSrc := filepath.Join(account.RootFolder, src) fullSrc := filepath.Join(account.RootFolder, src)
fullDst := filepath.Join(account.RootFolder, dst) fullDst := filepath.Join(account.RootFolder, dst)
srcFile, err := driver.File(src, account) srcFile, err := driver.File(src, account)
@ -198,6 +209,9 @@ func (driver Native) Copy(src string, dst string, account *model.Account) error
} }
func (driver Native) Delete(path string, account *model.Account) error { func (driver Native) Delete(path string, account *model.Account) error {
if utils.IsContain(strings.Split(path, "/"), "..") {
return base.ErrRelativePath
}
fullPath := filepath.Join(account.RootFolder, path) fullPath := filepath.Join(account.RootFolder, path)
file, err := driver.File(path, account) file, err := driver.File(path, account)
if err != nil { if err != nil {
@ -213,6 +227,9 @@ func (driver Native) Upload(file *model.FileStream, account *model.Account) erro
if file == nil { if file == nil {
return base.ErrEmptyFile return base.ErrEmptyFile
} }
if utils.IsContain(strings.Split(file.ParentPath, "/"), "..") {
return base.ErrRelativePath
}
fullPath := filepath.Join(account.RootFolder, file.ParentPath, file.Name) fullPath := filepath.Join(account.RootFolder, file.ParentPath, file.Name)
_, err := driver.File(filepath.Join(file.ParentPath, file.Name), account) _, err := driver.File(filepath.Join(file.ParentPath, file.Name), account)
if err == nil { if err == nil {