更加安全的目录拼接, 在不改变/数量的情况下, 实现安全且正确的拼接path

2025-05-07 11:06:23 +00:00 · 2023-01-06 01:28:09 +08:00 · 2023-01-06 01:28:09 +08:00 · 010447c8f2
commit 010447c8f2
parent bb92c994cd
4 changed files with 26 additions and 4 deletions
--- a/internal/option.go
+++ b/internal/option.go
@ -180,6 +180,7 @@ func (opt *Option) PrepareRunner() (*Runner, error) {
 	if opt.Advance {
 		r.Crawl = true
 		r.Active = true
+		r.Bak = true
 		opt.AppendRule = append(opt.AppendRule, "filebak")
 	} else if opt.FileBak {
 		opt.AppendRule = append(opt.AppendRule, "filebak")
--- a/internal/pool.go
+++ b/internal/pool.go
@ -533,7 +533,7 @@ func (pool *Pool) doActive() {
 	for _, u := range pkg.ActivePath {
 		pool.wg.Add(1)
 		pool.additionCh <- &Unit{
-			path:   u,
+			path:   safePath(pool.BaseURL, u),
 			source: ActiveSource,
 		}
 	}
@ -553,7 +553,7 @@ func (pool *Pool) doBak() {
 	for w := range worder.C {
 		pool.wg.Add(1)
 		pool.additionCh <- &Unit{
-			path:   w,
+			path:   safePath(pool.BaseURL, w),
 			source: BakSource,
 		}
 	}
--- a/internal/utils.go
+++ b/internal/utils.go
@ -124,3 +124,15 @@ func loadRuleWithFiles(ruleFiles []string, filter string) ([]rule.Expression, er
 	}
 	return rule.Compile(rules.String(), filter).Expressions, nil
 }
+
+func safePath(url, path string) string {
+	urlSlash := strings.HasSuffix(url, "/")
+	pathSlash := strings.HasPrefix(path, "/")
+	if !urlSlash && !pathSlash {
+		return "/" + path
+	} else if urlSlash && pathSlash {
+		return path[1:]
+	} else {
+		return path
+	}
+}
--- a/pkg/ihttp/request.go
+++ b/pkg/ihttp/request.go
@ -3,15 +3,16 @@ package ihttp
 import (
 	"github.com/valyala/fasthttp"
 	"net/http"
+	"strings"
 )

 func BuildPathRequest(clientType int, base, path string) (*Request, error) {
 	if clientType == FAST {
 		req := fasthttp.AcquireRequest()
-		req.SetRequestURI(base + path)
+		req.SetRequestURI(safeUrlJoin(base, path))
 		return &Request{FastRequest: req, ClientType: FAST}, nil
 	} else {
-		req, err := http.NewRequest("GET", base+path, nil)
+		req, err := http.NewRequest("GET", safeUrlJoin(base, path), nil)
 		return &Request{StandardRequest: req, ClientType: STANDARD}, err
 	}
 }
@ -74,3 +75,11 @@ func (r *Request) Host() string {
 		return ""
 	}
 }
+
+func safeUrlJoin(base, uri string) string {
+	if !strings.HasSuffix(base, "/") && !strings.HasPrefix(uri, "/") {
+		return base + "/" + uri
+	} else {
+		return base + uri
+	}
+}