From 06a6d26491043277361bf5a67dfdadcdca29cb61 Mon Sep 17 00:00:00 2001 From: xia-chu <771730766@qq.com> Date: Sat, 26 Aug 2023 19:43:11 +0800 Subject: [PATCH] =?UTF-8?q?=E6=8F=90=E9=AB=98http=E6=96=87=E4=BB=B6?= =?UTF-8?q?=E6=9C=8D=E5=8A=A1=E5=99=A8=E5=AE=89=E5=85=A8=E6=80=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/Http/HttpFileManager.cpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/Http/HttpFileManager.cpp b/src/Http/HttpFileManager.cpp index 3ec4d40c..66e5f7fa 100644 --- a/src/Http/HttpFileManager.cpp +++ b/src/Http/HttpFileManager.cpp @@ -524,7 +524,7 @@ static void accessFile(Session &sender, const Parser &parser, const MediaInfo &m }); } -static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender){ +static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender) { GET_CONFIG(bool, enableVhost, General::kEnableVhost); GET_CONFIG(string, rootPath, Http::kRootPath); GET_CONFIG_FUNC(StrCaseMap, virtualPathMap, Http::kVirtualPath, [](const string &str) { @@ -549,6 +549,13 @@ static string getFilePath(const Parser &parser,const MediaInfo &media_info, Sess } } auto ret = File::absolutePath(enableVhost ? media_info.vhost + url : url, path); + auto http_root = File::absolutePath(enableVhost ? media_info.vhost + "/" : "/", path); + if (!start_with(ret, http_root)) { + // 访问的http文件不得在http根目录之外 + throw std::runtime_error("Attempting to access files outside of the http root directory"); + } + // 替换url,防止返回的目录索引网页被注入非法内容 + const_cast(parser).setUrl("/" + ret.substr(http_root.size())); NoticeCenter::Instance().emitEvent(Broadcast::kBroadcastHttpBeforeAccess, parser, ret, static_cast(sender)); return ret; }