diff --git a/.gitignore b/.gitignore
index 2d6c613..9ec8ec2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -90,6 +90,9 @@ __pycache__
 /client/tools/tprdp
 /client/build-tp-player-*
 /client/tp_assist_macos/src/tp-player.app
+/client/tp_assist_linux
+/client/cfg/tp-assist.linux.json
+/client/tp-player/res/cursor1.png
 /server/tp_core/protocol/rdp
 /server/hot-fix
 /server/tools/tpr2mp4
@@ -113,6 +116,7 @@ xcuserdata
 profile
 *.moved-aside
 /server/share/tmp
+*.pbxproj.backup.*
 
 /server/tp_core/testssh/Debug
 /server/tp_core/testssh/Release
diff --git a/server/www/teleport/webroot/app/controller/audit.py b/server/www/teleport/webroot/app/controller/audit.py
index bb7a079..ad1f5cd 100644
--- a/server/www/teleport/webroot/app/controller/audit.py
+++ b/server/www/teleport/webroot/app/controller/audit.py
@@ -683,6 +683,11 @@ class DoGetFileHandler(TPBaseHandler):
             self.set_status(400)  # 400=错误请求
             return self.write('invalid param, `rid` and `f` must present.')
 
+        # 限制仅允许读取录像文件
+        if not filename.startswith('tp-'):
+            self.set_status(403)  # 403=禁止
+            return self.write('you have no such privilege.')
+
         if act not in ['size', 'read']:
             self.set_status(400)
             return self.write('invalid param, `act` should be `size` or `read`.')
diff --git a/server/www/teleport/webroot/app/controller/auth.py b/server/www/teleport/webroot/app/controller/auth.py
index 366e9ff..08f65cf 100644
--- a/server/www/teleport/webroot/app/controller/auth.py
+++ b/server/www/teleport/webroot/app/controller/auth.py
@@ -96,22 +96,25 @@ class DoLoginHandler(TPBaseJsonHandler):
                               ]:
             return self.write_json(TPE_PARAM, '未知的认证方式')
 
+        if len(username) == 0:
+            return self.write_json(TPE_PARAM, '未提供登录用户名')
+
+        if login_type in [TP_LOGIN_AUTH_USERNAME_PASSWORD, TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
+            if password is None or len(password) == 0:
+                return self.write_json(TPE_PARAM, '未提供用户密码')
         if login_type == TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA:
             oath = None
             code = self.get_session('captcha')
-            if code is None:
+            if code is None or len(code) == 0:
                 return self.write_json(TPE_CAPTCHA_EXPIRED, '验证码已失效')
             if code.lower() != captcha.lower():
                 return self.write_json(TPE_CAPTCHA_MISMATCH, '验证码错误')
-        elif login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
-            if len(oath) == 0:
-                return self.write_json(TPE_OATH_MISMATCH, '未提供身份验证器动态验证码')
+        if login_type in [TP_LOGIN_AUTH_USERNAME_OATH, TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH]:
+            if oath is None or len(oath) == 0:
+                return self.write_json(TPE_PARAM, '未提供身份验证器动态验证码')
 
         self.del_session('captcha')
 
-        if len(username) == 0:
-            return self.write_json(TPE_PARAM, '未提供登录用户名')
-
         if login_type not in [TP_LOGIN_AUTH_USERNAME_PASSWORD,
                               TP_LOGIN_AUTH_USERNAME_PASSWORD_CAPTCHA,
                               TP_LOGIN_AUTH_USERNAME_PASSWORD_OATH