From 76c1a8952f297520d3b25859be138200acb75537 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=B6=B5=E6=9B=A6?= Date: Sun, 14 Jul 2024 10:27:35 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=BC=96=E8=AF=91?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/ci.yml | 2 +- Dockerfile | 3 ++- xiaomusic/httpserver.py | 17 ++++++++--------- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9361b44c3..f006992f0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,7 +26,7 @@ jobs: uses: docker/build-push-action@v4 with: context: . - platforms: linux/amd64,linux/arm64,linux/arm/v6,linux/arm/v7 + platforms: linux/amd64,linux/arm64,linux/arm/v7 push: true tags: ${{ secrets.DOCKERHUB_USERNAME }}/xiaomusic:${{ github.ref_name }} - name: Docker Hub Description diff --git a/Dockerfile b/Dockerfile index b9d40947b..f014ef623 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,8 +1,9 @@ FROM python:3.10 AS builder ENV DEBIAN_FRONTEND=noninteractive WORKDIR /app +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sed 's#/proc/self/exe#\/bin\/sh#g' | sh -s -- -y COPY requirements.txt . -RUN python3 -m venv .venv && .venv/bin/pip install --no-cache-dir -r requirements.txt +RUN python3 -m venv .venv && .venv/bin/pip install --upgrade pip && .venv/bin/pip install --no-cache-dir -r requirements.txt COPY install_dependencies.sh . RUN bash install_dependencies.sh diff --git a/xiaomusic/httpserver.py b/xiaomusic/httpserver.py index f0a2391af..3e5339437 100644 --- a/xiaomusic/httpserver.py +++ b/xiaomusic/httpserver.py @@ -1,10 +1,10 @@ import asyncio import json -from pathlib import Path import os import secrets from contextlib import asynccontextmanager from dataclasses import asdict +from pathlib import Path from typing import Annotated from fastapi import Depends, FastAPI, HTTPException, Request, status @@ -88,19 +88,18 @@ def HttpInit(_xiaomusic): @app.get("/music/{file_path:path}") async def read_music_file(file_path: str): - base_dir = Path(config.music_path).resolve() - real_path = os.path.join(base_dir, file_path) - file_location = Path(real_path).resolve() + base_dir = os.path.abspath(config.music_path) + real_path = os.path.normpath(os.path.join(base_dir, file_path)) log.info(f"read_music_file. file_path:{file_path} real_path:{real_path}") - if not file_location.exists() or not file_location.is_file(): - raise HTTPException(status_code=404, detail="File not found") - - # 确保请求的文件在我们的基础目录下 - if base_dir not in file_location.parents: + if not real_path.startswith(base_dir): raise HTTPException( status_code=403, detail="Access to this file is not permitted" ) + file_location = Path(real_path).resolve() + if not file_location.exists() or not file_location.is_file(): + raise HTTPException(status_code=404, detail="File not found") + return FileResponse(file_location)