Skip to content

Commit

Permalink
fix: /api/icon path check
Browse files Browse the repository at this point in the history
  • Loading branch information
glennliao committed Jul 5, 2023
1 parent 7f9a5be commit bbf41e5
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
1 change: 1 addition & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ services:
container_name: bookmark
restart: always
# 使用mysql可外部挂载配置文件 config.toml , 默认使用sqlite, 需将数据库文件挂载到 /app/bookmark.db
# 如果需要上传自定义图标, 需要将 /app/runtime挂载出来
#volumes:
# - ./config.toml:/app/config.toml
ports:
Expand Down
12 changes: 9 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ import (
"context"
_ "embed"
"net/http"
"path"
"path/filepath"
"strings"

"github.com/glennliao/apijson-go"
Expand Down Expand Up @@ -49,7 +49,7 @@ var (
})

s.Group("/api", func(group *ghttp.RouterGroup) {
iconSavePath := "./runtime/icon"
iconSavePath, _ := filepath.Abs("./runtime/icon")

group.Group("/", func(group *ghttp.RouterGroup) {
group.Middleware(app.Cors, app.Auth)
Expand All @@ -76,7 +76,13 @@ var (

group.GET("/icon", func(req *ghttp.Request) {
name := req.GetQuery("name").String()
req.Response.ServeFile(path.Join(iconSavePath, name), false)
path := filepath.Join(iconSavePath, name)
if !strings.HasPrefix(path, iconSavePath) {
req.Response.Status = 500
req.Response.Write("?")
return
}
req.Response.ServeFile(path, false)
})
})

Expand Down

0 comments on commit bbf41e5

Please sign in to comment.