提高http文件服务器安全性

src/Http/HttpFileManager.cpp

@@ -524,7 +524,7 @@ static void accessFile(Session &sender, const Parser &parser, const MediaInfo &m
     });
     });
 }
 }
 
 
-static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender){
+static string getFilePath(const Parser &parser,const MediaInfo &media_info, Session &sender) {
     GET_CONFIG(bool, enableVhost, General::kEnableVhost);
     GET_CONFIG(bool, enableVhost, General::kEnableVhost);
     GET_CONFIG(string, rootPath, Http::kRootPath);
     GET_CONFIG(string, rootPath, Http::kRootPath);
     GET_CONFIG_FUNC(StrCaseMap, virtualPathMap, Http::kVirtualPath, [](const string &str) {
     GET_CONFIG_FUNC(StrCaseMap, virtualPathMap, Http::kVirtualPath, [](const string &str) {
@@ -549,6 +549,13 @@ static string getFilePath(const Parser &parser,const MediaInfo &media_info, Sess
         }
         }
     }
     }
     auto ret = File::absolutePath(enableVhost ? media_info.vhost + url : url, path);
     auto ret = File::absolutePath(enableVhost ? media_info.vhost + url : url, path);
+    auto http_root = File::absolutePath(enableVhost ? media_info.vhost + "/" : "/", path);
+    if (!start_with(ret, http_root)) {
+        // 访问的http文件不得在http根目录之外
+        throw std::runtime_error("Attempting to access files outside of the http root directory");
+    }
+    // 替换url，防止返回的目录索引网页被注入非法内容
+    const_cast<Parser&>(parser).setUrl("/" + ret.substr(http_root.size()));
     NoticeCenter::Instance().emitEvent(Broadcast::kBroadcastHttpBeforeAccess, parser, ret, static_cast<SockInfo &>(sender));
     NoticeCenter::Instance().emitEvent(Broadcast::kBroadcastHttpBeforeAccess, parser, ret, static_cast<SockInfo &>(sender));
     return ret;
     return ret;
 }
 }