修正web server目录安全性校验文件分隔符号处理问题

2026-06-07 10:22:11 +08:00 · 2018-04-23 17:06:50 +08:00
parent 721c1091d0
commit b3f96c587e
5 changed files with 14 additions and 9 deletions
--- a/3
+++ b/3
@ -3,7 +3,8 @@ ON THE WAY:
 2. ghttp.Server平滑重启方案；
 3. 更多数据库的ORM支持；
 4. 验证码包支持；
-
+5. https支持；
+6. FAQ

 DONE:
 1. gconv完善针对不同类型的判断，例如：尽量减少sprintf("%v", xxx)来执行string类型的转换；
--- a/g/net/ghttp/http_server_handler.go
+++ b/g/net/ghttp/http_server_handler.go
@ -93,8 +93,8 @@ func (s *Server)serveFile(r *Request) {
        if gfile.Separator != "/" {
            uri = strings.Replace(uri, "/", gfile.Separator, -1)
        }
-        path  = path + uri
-        path  = gfile.RealPath(path)
+        path = path + uri
+        path = gfile.RealPath(path)
        if path != "" {
            // 文件/目录访问安全限制：服务的路径必须在ServerRoot下，否则会报错
            if len(path) >= len(s.config.ServerRoot) && strings.EqualFold(path[0 : len(s.config.ServerRoot)], s.config.ServerRoot) {
--- a/g/net/ghttp/http_server_options.go
+++ b/g/net/ghttp/http_server_options.go
@ -14,7 +14,6 @@ import (
    "strings"
    "net/http"
    "crypto/tls"
-    "path/filepath"
    "gitee.com/johng/gf/g/os/gfile"
 )

@ -105,7 +104,7 @@ func (s *Server)SetMaxHeaderBytes(b int) error {
    return nil
 }

-// 设置http server参数 - IndexFiles
+// 设置http server参数 - IndexFiles，默认展示文件，如：index.html, index.htm
 func (s *Server)SetIndexFiles(index []string) error {
    if s.status == 1 {
        return errors.New("server config cannot be changed while running")
@ -114,7 +113,7 @@ func (s *Server)SetIndexFiles(index []string) error {
    return nil
 }

-// 设置http server参数 - IndexFolder
+// 允许展示访问目录的文件列表
 func (s *Server)SetIndexFolder(index bool) error {
    if s.status == 1 {
        return errors.New("server config cannot be changed while running")
@ -137,7 +136,12 @@ func (s *Server)SetServerRoot(root string) error {
    if s.status == 1 {
        return errors.New("server config cannot be changed while running")
    }
-    s.config.ServerRoot  = strings.TrimRight(root, string(filepath.Separator))
+    // RealPath的作用除了校验地址正确性以外，还转换分隔符号为当前系统正确的文件分隔符号
+    path := gfile.RealPath(root)
+    if path == "" {
+        return errors.New("invalid root path \"" + root + "\"")
+    }
+    s.config.ServerRoot  = strings.TrimRight(path, string(gfile.Separator))
    return nil
 }

--- a/g/os/gview/gview.go
+++ b/g/os/gview/gview.go
@ -90,7 +90,7 @@ func (view *View) Parse(file string, params map[string]interface{}) ([]byte, err
        }
    }
    if content == "" {
-        return nil, errors.New("invalid tpl \"" + file + "\"")
+        return nil, errors.New("tpl \"" + file + "\" not found")
    }
    // 执行模板解析
    view.mu.RLock()
--- a/geg/net/ghttp/server1.go
+++ b/geg/net/ghttp/server1.go
@ -7,7 +7,7 @@ import (
 func main() {
    s := ghttp.GetServer()
    s.SetIndexFolder(true)
-    s.SetServerRoot("C:\\Documents and Settings\\Claymore\\桌面\\gf.test")
+    s.SetServerRoot("/home/john/Workspace/view")
    s.SetPort(8199)
    s.Run()
 }