fix: 修复安全问题

2026-04-22 22:00:04 +08:00 · 2025-06-10 16:43:43 +08:00
parent 1679eedb94
commit 2eb6e8035b
2 changed files with 3 additions and 5 deletions
--- a/xiaomusic/httpserver.py
+++ b/xiaomusic/httpserver.py
@@ -563,7 +563,7 @@ async def downloadplaylist(data: DownloadPlayList, Verifcation=Depends(verificat
            dir_path = os.path.join(config.download_path, data.dirname)
            log.debug(f"Download dir_path: {dir_path}")
            # 可能只是部分失败，都需要整理下载目录
-            remove_common_prefix(dir_path)
+            remove_common_prefix(config.download_path, dir_path)
            chmoddir(dir_path)
            return {"ret": "OK"}
        else:
@@ -577,7 +577,7 @@ async def downloadplaylist(data: DownloadPlayList, Verifcation=Depends(verificat
            dir_path = os.path.join(config.download_path, data.dirname)
            log.debug(f"Download dir_path: {dir_path}")
            # 可能只是部分失败，都需要整理下载目录
-            remove_common_prefix(dir_path)
+            remove_common_prefix(config.download_path, dir_path)
            chmoddir(dir_path)

        asyncio.create_task(check_download_proc())
--- a/xiaomusic/utils.py
+++ b/xiaomusic/utils.py
@@ -1108,9 +1108,7 @@ def _longest_common_prefix(file_names):


 # 移除目录下文件名前缀相同的
-def remove_common_prefix(directory):
-    # Define the safe root directory
-    safe_root = config.download_path
+def remove_common_prefix(safe_root, directory):
    # Normalize the directory path
    normalized_directory = os.path.normpath(directory)
    # Ensure the directory is within the safe root