fix: check if the req path is relative path (close #2531)
This commit is contained in:
Noah Hsu
@ -26,25 +26,29 @@ func FsMkdir(c *gin.Context) {
|
||||
return
|
||||
}
|
||||
user := c.MustGet("user").(*model.User)
|
||||
req.Path = stdpath.Join(user.BasePath, req.Path)
|
||||
reqPath, err := user.JoinPath(req.Path)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
if !user.CanWrite() {
|
||||
meta, err := db.GetNearestMeta(stdpath.Dir(req.Path))
|
||||
meta, err := db.GetNearestMeta(stdpath.Dir(reqPath))
|
||||
if err != nil {
|
||||
if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
|
||||
common.ErrorResp(c, err, 500, true)
|
||||
return
|
||||
}
|
||||
}
|
||||
if !common.CanWrite(meta, req.Path) {
|
||||
if !common.CanWrite(meta, reqPath) {
|
||||
common.ErrorResp(c, errs.PermissionDenied, 403)
|
||||
return
|
||||
}
|
||||
}
|
||||
if err := fs.MakeDir(c, req.Path); err != nil {
|
||||
if err := fs.MakeDir(c, reqPath); err != nil {
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
fs.ClearCache(stdpath.Dir(req.Path))
|
||||
fs.ClearCache(stdpath.Dir(reqPath))
|
||||
common.SuccessResp(c)
|
||||
}
|
||||
|
||||
@ -69,17 +73,25 @@ func FsMove(c *gin.Context) {
|
||||
common.ErrorResp(c, errs.PermissionDenied, 403)
|
||||
return
|
||||
}
|
||||
req.SrcDir = stdpath.Join(user.BasePath, req.SrcDir)
|
||||
req.DstDir = stdpath.Join(user.BasePath, req.DstDir)
|
||||
srcDir, err := user.JoinPath(req.SrcDir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
dstDir, err := user.JoinPath(req.DstDir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
for _, name := range req.Names {
|
||||
err := fs.Move(c, stdpath.Join(req.SrcDir, name), req.DstDir)
|
||||
err := fs.Move(c, stdpath.Join(srcDir, name), dstDir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
}
|
||||
fs.ClearCache(req.SrcDir)
|
||||
fs.ClearCache(req.DstDir)
|
||||
fs.ClearCache(srcDir)
|
||||
fs.ClearCache(dstDir)
|
||||
common.SuccessResp(c)
|
||||
}
|
||||
|
||||
@ -98,11 +110,19 @@ func FsCopy(c *gin.Context) {
|
||||
common.ErrorResp(c, errs.PermissionDenied, 403)
|
||||
return
|
||||
}
|
||||
req.SrcDir = stdpath.Join(user.BasePath, req.SrcDir)
|
||||
req.DstDir = stdpath.Join(user.BasePath, req.DstDir)
|
||||
srcDir, err := user.JoinPath(req.SrcDir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
dstDir, err := user.JoinPath(req.DstDir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
var addedTask []string
|
||||
for _, name := range req.Names {
|
||||
ok, err := fs.Copy(c, stdpath.Join(req.SrcDir, name), req.DstDir)
|
||||
ok, err := fs.Copy(c, stdpath.Join(srcDir, name), dstDir)
|
||||
if ok {
|
||||
addedTask = append(addedTask, name)
|
||||
}
|
||||
@ -112,7 +132,7 @@ func FsCopy(c *gin.Context) {
|
||||
}
|
||||
}
|
||||
if len(req.Names) != len(addedTask) {
|
||||
fs.ClearCache(req.DstDir)
|
||||
fs.ClearCache(dstDir)
|
||||
}
|
||||
if len(addedTask) > 0 {
|
||||
common.SuccessResp(c, fmt.Sprintf("Added %d tasks", len(addedTask)))
|
||||
@ -137,12 +157,16 @@ func FsRename(c *gin.Context) {
|
||||
common.ErrorResp(c, errs.PermissionDenied, 403)
|
||||
return
|
||||
}
|
||||
req.Path = stdpath.Join(user.BasePath, req.Path)
|
||||
if err := fs.Rename(c, req.Path, req.Name); err != nil {
|
||||
reqPath, err := user.JoinPath(req.Path)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
if err := fs.Rename(c, reqPath, req.Name); err != nil {
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
}
|
||||
fs.ClearCache(stdpath.Dir(req.Path))
|
||||
fs.ClearCache(stdpath.Dir(reqPath))
|
||||
common.SuccessResp(c)
|
||||
}
|
||||
|
||||
@ -166,9 +190,13 @@ func FsRemove(c *gin.Context) {
|
||||
common.ErrorResp(c, errs.PermissionDenied, 403)
|
||||
return
|
||||
}
|
||||
req.Dir = stdpath.Join(user.BasePath, req.Dir)
|
||||
reqDir, err := user.JoinPath(req.Dir)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 403)
|
||||
return
|
||||
}
|
||||
for _, name := range req.Names {
|
||||
err := fs.Remove(c, stdpath.Join(req.Dir, name))
|
||||
err := fs.Remove(c, stdpath.Join(reqDir, name))
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 500)
|
||||
return
|
||||
@ -185,8 +213,10 @@ func Link(c *gin.Context) {
|
||||
common.ErrorResp(c, err, 400)
|
||||
return
|
||||
}
|
||||
user := c.MustGet("user").(*model.User)
|
||||
rawPath := stdpath.Join(user.BasePath, req.Path)
|
||||
//user := c.MustGet("user").(*model.User)
|
||||
//rawPath := stdpath.Join(user.BasePath, req.Path)
|
||||
// why need not join base_path? because it's always the full path
|
||||
rawPath := req.Path
|
||||
storage, err := fs.GetStorage(rawPath)
|
||||
if err != nil {
|
||||
common.ErrorResp(c, err, 500)
|
||||
|
||||
Reference in New Issue
Block a user