fix: check if the req path is relative path (close #2531)

2022-11-30 21:38:00 +08:00
parent f9788ea7cf
commit b5bf5f4325
8 changed files with 172 additions and 68 deletions
--- a/server/handles/fsup.go
+++ b/server/handles/fsup.go
@ -21,8 +21,11 @@ func FsStream(c *gin.Context) {
 	}
 	asTask := c.GetHeader("As-Task") == "true"
 	user := c.MustGet("user").(*model.User)
-	path = stdpath.Join(user.BasePath, path)
-
+	path, err = user.JoinPath(path)
+	if err != nil {
+		common.ErrorResp(c, err, 403)
+		return
+	}
 	dir, name := stdpath.Split(path)
 	sizeStr := c.GetHeader("Content-Length")
 	size, err := strconv.ParseInt(sizeStr, 10, 64)
@ -61,8 +64,11 @@ func FsForm(c *gin.Context) {
 	}
 	asTask := c.GetHeader("As-Task") == "true"
 	user := c.MustGet("user").(*model.User)
-	path = stdpath.Join(user.BasePath, path)
-
+	path, err = user.JoinPath(path)
+	if err != nil {
+		common.ErrorResp(c, err, 403)
+		return
+	}
 	storage, err := fs.GetStorage(path)
 	if err != nil {
 		common.ErrorResp(c, err, 400)