Skip to content

Commit 7dc8231

Browse files
Sky_slienceSky_slience
Sky_slience
authored and
Sky_slience
committed
fix(rename): block rename for password-protected paths
1 parent f3d6230 commit 7dc8231

File tree

2 files changed

+27
-1
lines changed

2 files changed

+27
-1
lines changed

server/handles/fsbatch.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,9 @@ func FsBatchRename(c *gin.Context) {
195195
common.ErrorResp(c, err, 400)
196196
return
197197
}
198+
if !canRenamePath(c, filePath) {
199+
return
200+
}
198201
if err := fs.Rename(c, filePath, renameObject.NewName); err != nil {
199202
common.ErrorResp(c, err, 500)
200203
return
@@ -261,6 +264,9 @@ func FsRegexRename(c *gin.Context) {
261264
common.ErrorResp(c, err, 500)
262265
return
263266
}
267+
if !canRenamePath(c, filePath) {
268+
return
269+
}
264270
newFileName := srcRegexp.ReplaceAllString(file.GetName(), req.NewNameRegex)
265271
if err := utils.ValidateNameComponent(newFileName); err != nil {
266272
common.ErrorResp(c, err, 400)

server/handles/fsmanage.go

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ package handles
22

33
import (
44
"fmt"
5-
"github.com/alist-org/alist/v3/internal/task"
65
"io"
76
stdpath "path"
87

8+
"github.com/alist-org/alist/v3/internal/task"
9+
910
"github.com/alist-org/alist/v3/internal/errs"
1011
"github.com/alist-org/alist/v3/internal/fs"
1112
"github.com/alist-org/alist/v3/internal/model"
@@ -213,6 +214,22 @@ type RenameReq struct {
213214
Overwrite bool `json:"overwrite"`
214215
}
215216

217+
func canRenamePath(c *gin.Context, reqPath string) bool {
218+
meta, err := op.GetNearestMeta(reqPath)
219+
if err != nil {
220+
if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
221+
common.ErrorResp(c, err, 500, true)
222+
return false
223+
}
224+
return true
225+
}
226+
if meta != nil && meta.Password != "" && common.IsApply(meta.Path, reqPath, meta.PSub) {
227+
common.ErrorStrResp(c, "Path is password-protected and cannot be renamed.", 403)
228+
return false
229+
}
230+
return true
231+
}
232+
216233
func FsRename(c *gin.Context) {
217234
var req RenameReq
218235
if err := c.ShouldBind(&req); err != nil {
@@ -229,6 +246,9 @@ func FsRename(c *gin.Context) {
229246
common.ErrorResp(c, errs.PermissionDenied, 403)
230247
return
231248
}
249+
if !canRenamePath(c, reqPath) {
250+
return
251+
}
232252
perm := common.MergeRolePermissions(user, reqPath)
233253
if !common.HasPermission(perm, common.PermRename) {
234254
common.ErrorResp(c, errs.PermissionDenied, 403)

0 commit comments

Comments
 (0)