THENG
/
ZLMediaKit
mirror of https://gitcode.com/gh_mirrors/zlme/ZLMediaKit.git
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

提高http文件服务器安全性

This commit is contained in:
Wang Jingkai 2023-08-28 10:20:06 +08:00 committed by GitHub
parent e57463a1ed
commit 6e2b5d9465
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/Http/HttpFileManager.cpp
View File

@ -524,7 +524,7 @@ static void accessFile(Session &sender, const Parser &parser, const MediaInfo &m
});
}
static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender){
static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender) {
GET_CONFIG(bool, enableVhost, General::kEnableVhost);
GET_CONFIG(string, rootPath, Http::kRootPath);
GET_CONFIG_FUNC(StrCaseMap, virtualPathMap, Http::kVirtualPath, [](const string &str) {
@ -549,6 +549,13 @@ static string getFilePath(const Parser &parser,const MediaInfo &media_info, Sess
}
}
auto ret = File::absolutePath(enableVhost ? media_info.vhost + url : url, path);
auto http_root = File::absolutePath(enableVhost ? media_info.vhost + "/" : "/", path);
if (!start_with(ret, http_root)) {
// 访问的http文件不得在http根目录之外
throw std::runtime_error("Attempting to access files outside of the http root directory");
}
// 替换url防止返回的目录索引网页被注入非法内容
const_cast<Parser&>(parser).setUrl("/" + ret.substr(http_root.size()));
NoticeCenter::Instance().emitEvent(Broadcast::kBroadcastHttpBeforeAccess, parser, ret, static_cast<SockInfo &>(sender));
return ret;
}