fix!: sign with the raw path instead of filename (OpenListTeam#2258)

koho · web-flow · commit 00de9bf16d3a · 2022-11-11T16:24:25.000+08:00
diff --git a/server/common/sign.go b/server/common/sign.go
@@ -3,11 +3,12 @@ package common
 import (
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/internal/sign"
+	stdpath "path"
 )
 
-func Sign(obj model.Obj, encrypt bool) string {
+func Sign(obj model.Obj, parent string, encrypt bool) string {
 	if obj.IsDir() || !encrypt {
 		return ""
 	}
-	return sign.Sign(obj.GetName())
+	return sign.Sign(stdpath.Join(parent, obj.GetName()))
 }
diff --git a/server/handles/down.go b/server/handles/down.go
@@ -58,7 +58,7 @@ func Proxy(c *gin.Context) {
 				URL := fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(downProxyUrl, "\n")[0],
 					utils.EncodePath(rawPath, true),
-					sign.Sign(filename))
+					sign.Sign(rawPath))
 				c.Redirect(302, URL)
 				return
 			}
diff --git a/server/handles/fsmanage.go b/server/handles/fsmanage.go
@@ -203,8 +203,8 @@ func Link(c *gin.Context) {
 		common.SuccessResp(c, model.Link{
 			URL: fmt.Sprintf("%s/p%s?d&sign=%s",
 				common.GetApiUrl(c.Request),
-				utils.EncodePath(req.Path, true),
-				sign.Sign(stdpath.Base(rawPath))),
+				utils.EncodePath(rawPath, true),
+				sign.Sign(rawPath)),
 		})
 		return
 	}
diff --git a/server/handles/fsread.go b/server/handles/fsread.go
@@ -86,7 +86,7 @@ func FsList(c *gin.Context) {
 		provider = storage.GetStorage().Driver
 	}
 	common.SuccessResp(c, FsListResp{
-		Content:  toObjResp(objs, isEncrypt(meta, req.Path)),
+		Content:  toObjResp(objs, req.Path, isEncrypt(meta, req.Path)),
 		Total:    int64(total),
 		Readme:   getReadme(meta, req.Path),
 		Write:    user.CanWrite() || canWrite(meta, req.Path),
@@ -196,7 +196,7 @@ func pagination(objs []model.Obj, req *common.PageReq) (int, []model.Obj) {
 	return total, objs[start:end]
 }
 
-func toObjResp(objs []model.Obj, encrypt bool) []ObjResp {
+func toObjResp(objs []model.Obj, parent string, encrypt bool) []ObjResp {
 	var resp []ObjResp
 	for _, obj := range objs {
 		thumb := ""
@@ -212,7 +212,7 @@ func toObjResp(objs []model.Obj, encrypt bool) []ObjResp {
 			Size:     obj.GetSize(),
 			IsDir:    obj.IsDir(),
 			Modified: obj.ModTime(),
-			Sign:     common.Sign(obj, encrypt),
+			Sign:     common.Sign(obj, parent, encrypt),
 			Thumb:    thumb,
 			Type:     tp,
 		})
@@ -275,12 +275,12 @@ func FsGet(c *gin.Context) {
 				rawURL = fmt.Sprintf("%s%s?sign=%s",
 					strings.Split(storage.GetStorage().DownProxyUrl, "\n")[0],
 					utils.EncodePath(req.Path, true),
-					sign.Sign(obj.GetName()))
+					sign.Sign(req.Path))
 			} else {
 				rawURL = fmt.Sprintf("%s/p%s?sign=%s",
 					common.GetApiUrl(c.Request),
 					utils.EncodePath(req.Path, true),
-					sign.Sign(obj.GetName()))
+					sign.Sign(req.Path))
 			}
 		} else {
 			// file have raw url
@@ -310,13 +310,13 @@ func FsGet(c *gin.Context) {
 			Size:     obj.GetSize(),
 			IsDir:    obj.IsDir(),
 			Modified: obj.ModTime(),
-			Sign:     common.Sign(obj, isEncrypt(meta, req.Path)),
+			Sign:     common.Sign(obj, parentPath, isEncrypt(meta, req.Path)),
 			Type:     utils.GetFileType(obj.GetName()),
 		},
 		RawURL:   rawURL,
 		Readme:   getReadme(meta, req.Path),
 		Provider: provider,
-		Related:  toObjResp(related, isEncrypt(parentMeta, parentPath)),
+		Related:  toObjResp(related, parentPath, isEncrypt(parentMeta, parentPath)),
 	})
 }
 
diff --git a/server/middlewares/down.go b/server/middlewares/down.go
@@ -1,7 +1,6 @@
 package middlewares
 
 import (
-	stdpath "path"
 	"strings"
 
 	"github.com/alist-org/alist/v3/internal/db"
@@ -17,7 +16,6 @@ import (
 func Down(c *gin.Context) {
 	rawPath := parsePath(c.Param("path"))
 	c.Set("path", rawPath)
-	filename := stdpath.Base(rawPath)
 	meta, err := db.GetNearestMeta(rawPath)
 	if err != nil {
 		if !errors.Is(errors.Cause(err), errs.MetaNotFound) {
@@ -29,7 +27,7 @@ func Down(c *gin.Context) {
 	// verify sign
 	if needSign(meta, rawPath) {
 		s := c.Query("sign")
-		err = sign.Verify(filename, strings.TrimSuffix(s, "/"))
+		err = sign.Verify(rawPath, strings.TrimSuffix(s, "/"))
 		if err != nil {
 			common.ErrorResp(c, err, 401)
 			c.Abort()
diff --git a/server/webdav/webdav.go b/server/webdav/webdav.go
@@ -231,7 +231,7 @@ func (h *Handler) handleGetHeadPost(w http.ResponseWriter, r *http.Request) (sta
 		u := fmt.Sprintf("%s/p%s?sign=%s",
 			common.GetApiUrl(r),
 			utils.EncodePath(reqPath, true),
-			sign.Sign(path.Base(reqPath)))
+			sign.Sign(reqPath))
 		w.Header().Set("Cache-Control", "max-age=0, no-cache, no-store, must-revalidate")
 		http.Redirect(w, r, u, 302)
 	} else {

Original file line number	Diff line number	Diff line change
`@@ -3,11 +3,12 @@ package common`
`3`	`3`	`import (`
`4`	`4`	`"github.com/alist-org/alist/v3/internal/model"`
`5`	`5`	`"github.com/alist-org/alist/v3/internal/sign"`
	`6`	`+ stdpath "path"`
`6`	`7`	`)`
`7`	`8`
`8`		`-func Sign(obj model.Obj, encrypt bool) string {`
	`9`	`+func Sign(obj model.Obj, parent string, encrypt bool) string {`
`9`	`10`	`if obj.IsDir() \|\| !encrypt {`
`10`	`11`	`return ""`
`11`	`12`	`}`
`12`		`- return sign.Sign(obj.GetName())`
	`13`	`+ return sign.Sign(stdpath.Join(parent, obj.GetName()))`
`13`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,7 +58,7 @@ func Proxy(c *gin.Context) {`
`58`	`58`	`URL := fmt.Sprintf("%s%s?sign=%s",`
`59`	`59`	`strings.Split(downProxyUrl, "\n")[0],`
`60`	`60`	`utils.EncodePath(rawPath, true),`
`61`		`- sign.Sign(filename))`
	`61`	`+ sign.Sign(rawPath))`
`62`	`62`	`c.Redirect(302, URL)`
`63`	`63`	`return`
`64`	`64`	`}`