Please confirm the following
OpenList Version (required)
v4.2.1
Storage Driver Used (required)
本机存储
Bug Description (required)
根目录下的文件删除异常
Logs (required)
FsRemove: path traversal attempt skipped: 1.txt (dir: /)
Configuration File Content (required)
默认未修改
Reproduction Link (optional)
把本地的任意目录如/opt/openlist挂载成根目录/。在网页端新建1.txt,右键点击删除-确认后浏览器回报success,但是实际上没有删除文件。
查询ai得知server/handles/fsmanage.go里的if !strings.HasPrefix(fullPath+"/", reqPath+"/") 会把实际完整路径变成//1.txt导致误报路径穿越。
Please confirm the following
I have read and agree to AGPL-3.0 Section 15 .
The program is provided "as is" without any warranties; you bear all risks of using it.
I have read and agree to AGPL-3.0 Section 16 .
The copyright holders and distributors are not liable for any damages resulting from the use or inability to use the program.
I confirm my description is clear, polite, helps developers quickly locate the issue, and complies with community rules.
I have read the OpenList documentation.
I confirm there are no duplicate issues or discussions.
I confirm this is an
OpenListissue, not caused by other reasons (such as network, dependencies, or operation).I believe this issue must be handled by
OpenListand not by a third party.I confirm this issue is not fixed in the latest version.
I have not read these checkboxes and therefore I just ticked them all, Please close this issue.
OpenList Version (required)
v4.2.1
Storage Driver Used (required)
本机存储
Bug Description (required)
根目录下的文件删除异常
Logs (required)
FsRemove: path traversal attempt skipped: 1.txt (dir: /)
Configuration File Content (required)
默认未修改
Reproduction Link (optional)
把本地的任意目录如/opt/openlist挂载成根目录/。在网页端新建1.txt,右键点击删除-确认后浏览器回报success,但是实际上没有删除文件。
查询ai得知server/handles/fsmanage.go里的if !strings.HasPrefix(fullPath+"/", reqPath+"/") 会把实际完整路径变成//1.txt导致误报路径穿越。