hoangvv/NextZen-UserService
1
0
Fork 0
mirror of https://github.com/KaySar12/NextZen-UserService.git synced 2025-06-27 19:35:10 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity

Adding Absolute Path Determination

Browse Source
This commit is contained in:
Link 2024-02-04 06:36:38 +00:00
parent 3f4558e23c
commit 2fdbdcf1ec
1 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
route/v1/user.go
View File

@ -659,16 +659,21 @@ func GetUserImage(c *gin.Context) {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)}) c.JSON(http.StatusNotFound, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)})
return return
} }
if !file.Exists(filePath) { absFilePath, err := filepath.Abs(filepath.Clean(filePath))
if err != nil {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INVALID_PARAMS, Message: common_err.GetMsg(common_err.INVALID_PARAMS)})
return
}
if !file.Exists(absFilePath) {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.FILE_DOES_NOT_EXIST, Message: common_err.GetMsg(common_err.FILE_DOES_NOT_EXIST)}) c.JSON(http.StatusNotFound, model.Result{Success: common_err.FILE_DOES_NOT_EXIST, Message: common_err.GetMsg(common_err.FILE_DOES_NOT_EXIST)})
return return
} }
if !strings.Contains(filePath, config.AppInfo.UserDataPath) { if !strings.Contains(absFilePath, config.AppInfo.UserDataPath) {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)}) c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
return return
} }
matched, err := regexp.MatchString(`^/var/lib/casaos/\d`, filePath) matched, err := regexp.MatchString(`^/var/lib/casaos/\d`, absFilePath)
if err != nil { if err != nil {
c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)}) c.JSON(http.StatusNotFound, model.Result{Success: common_err.INSUFFICIENT_PERMISSIONS, Message: common_err.GetMsg(common_err.INSUFFICIENT_PERMISSIONS)})
return return
@ -678,14 +683,11 @@ func GetUserImage(c *gin.Context) {
return return
} }
fileTmp, _ := os.Open(filePath) fileName := path.Base(absFilePath)
defer fileTmp.Close()
fileName := path.Base(filePath)
// @tiger - RESTful 规范下不应该返回文件本身内容而是返回文件的静态URL由前端去解析 // @tiger - RESTful 规范下不应该返回文件本身内容而是返回文件的静态URL由前端去解析
c.Header("Content-Disposition", "attachment; filename*=utf-8''"+url2.PathEscape(fileName)) c.Header("Content-Disposition", "attachment; filename*=utf-8''"+url2.PathEscape(fileName))
c.File(filePath) c.File(absFilePath)
} }
func DeleteUserImage(c *gin.Context) { func DeleteUserImage(c *gin.Context) {