marco/yt-dlp-webui
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

better filename guards

Browse Source 
closes #195
This commit is contained in:
marcobaobao
2024-09-17 10:00:57 +02:00
parent fb2642de2c
commit 03ee338f15
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
server/handlers/archive.go
View File

@@ -158,7 +158,7 @@ func SendFile(w http.ResponseWriter, r *http.Request) {
root := config.Instance().DownloadPath root := config.Instance().DownloadPath
if strings.Contains(filepath.Dir(filename), root) { if strings.Contains(filepath.Dir(filepath.Clean(filename)), filepath.Clean(root)) {
http.ServeFile(w, r, filename) http.ServeFile(w, r, filename)
return return
} }
@@ -190,7 +190,7 @@ func DownloadFile(w http.ResponseWriter, r *http.Request) {
root := config.Instance().DownloadPath root := config.Instance().DownloadPath
if strings.Contains(filepath.Dir(filename), root) { if strings.Contains(filepath.Dir(filepath.Clean(filename)), filepath.Clean(root)) {
w.Header().Add("Content-Disposition", "inline; filename=\""+filepath.Base(filename)+"\"") w.Header().Add("Content-Disposition", "inline; filename=\""+filepath.Base(filename)+"\"")
w.Header().Set("Content-Type", "application/octet-stream") w.Header().Set("Content-Type", "application/octet-stream")