mirror of
https://github.com/ZLMediaKit/ZLMediaKit.git
synced 2024-12-02 00:12:33 +08:00
修复http文件鉴权漏洞
This commit is contained in:
parent
d30d0e2b29
commit
8fe876c0ef
@ -399,8 +399,9 @@ inline void HttpSession::canAccessPath(const string &path_in,bool is_dir,const f
|
|||||||
if(cookie){
|
if(cookie){
|
||||||
//找到了cookie,对cookie上锁先
|
//找到了cookie,对cookie上锁先
|
||||||
auto lck = cookie->getLock();
|
auto lck = cookie->getLock();
|
||||||
auto accessErr = (*cookie)[kAccessErrKey];
|
auto accessErr = (*cookie)[kAccessErrKey].get<string>();
|
||||||
if(path.find((*cookie)[kCookiePathKey].get<string>()) == 0){
|
auto cookiePath = (*cookie)[kCookiePathKey].get<string>();
|
||||||
|
if(path.find(cookiePath) == 0){
|
||||||
//上次cookie是限定本目录
|
//上次cookie是限定本目录
|
||||||
if(accessErr.empty()){
|
if(accessErr.empty()){
|
||||||
//上次鉴权成功
|
//上次鉴权成功
|
||||||
@ -410,7 +411,7 @@ inline void HttpSession::canAccessPath(const string &path_in,bool is_dir,const f
|
|||||||
//上次鉴权失败,如果url发生变更,那么也重新鉴权
|
//上次鉴权失败,如果url发生变更,那么也重新鉴权
|
||||||
if (_parser.Params().empty() || _parser.Params() == cookie->getUid()) {
|
if (_parser.Params().empty() || _parser.Params() == cookie->getUid()) {
|
||||||
//url参数未变,那么判断无权限访问
|
//url参数未变,那么判断无权限访问
|
||||||
callback(accessErr.empty() ? "无权限访问该目录" : accessErr.get<string>(), nullptr);
|
callback(accessErr.empty() ? "无权限访问该目录" : accessErr, nullptr);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user