Skip to content

Commit d747458

Browse files
okatu-loliokatu-loli
committed
refactor(webdav): Use ResolvePath instead of JoinPath
- Changed the path concatenation method between `reqPath` and `src` and `dst` to use `ResolvePath` - Updated the implementation of path handling in multiple functions - Improved the consistency and reliability of path resolution
1 parent e1800f1 commit d747458

File tree

3 files changed

+33
-11
lines changed

3 files changed

+33
-11
lines changed

server/webdav.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ func WebDAVAuth(c *gin.Context) {
113113
reqPath = "/"
114114
}
115115
reqPath, _ = url.PathUnescape(reqPath)
116-
reqPath, err = user.JoinPath(reqPath)
116+
reqPath, err = webdav.ResolvePath(user, reqPath)
117117
if err != nil {
118118
c.Status(http.StatusForbidden)
119119
c.Abort()

server/webdav/path.go

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
package webdav
2+
3+
import (
4+
"path"
5+
"strings"
6+
7+
"github.com/alist-org/alist/v3/internal/model"
8+
"github.com/alist-org/alist/v3/pkg/utils"
9+
)
10+
11+
// ResolvePath normalizes the provided raw path and resolves it against the user's base path
12+
// before delegating to the user-aware JoinPath permission checks.
13+
func ResolvePath(user *model.User, raw string) (string, error) {
14+
cleaned := utils.FixAndCleanPath(raw)
15+
basePath := utils.FixAndCleanPath(user.BasePath)
16+
17+
if cleaned != "/" && basePath != "/" && !utils.IsSubPath(basePath, cleaned) {
18+
cleaned = path.Join(basePath, strings.TrimPrefix(cleaned, "/"))
19+
}
20+
21+
return user.JoinPath(cleaned)
22+
}

server/webdav/webdav.go

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -194,7 +194,7 @@ func (h *Handler) handleOptions(w http.ResponseWriter, r *http.Request) (status
194194
}
195195
ctx := r.Context()
196196
user := ctx.Value("user").(*model.User)
197-
reqPath, err = user.JoinPath(reqPath)
197+
reqPath, err = ResolvePath(user, reqPath)
198198
if err != nil {
199199
return 403, err
200200
}
@@ -222,7 +222,7 @@ func (h *Handler) handleGetHeadPost(w http.ResponseWriter, r *http.Request) (sta
222222
// TODO: check locks for read-only access??
223223
ctx := r.Context()
224224
user := ctx.Value("user").(*model.User)
225-
reqPath, err = user.JoinPath(reqPath)
225+
reqPath, err = ResolvePath(user, reqPath)
226226
if err != nil {
227227
return http.StatusForbidden, err
228228
}
@@ -282,7 +282,7 @@ func (h *Handler) handleDelete(w http.ResponseWriter, r *http.Request) (status i
282282

283283
ctx := r.Context()
284284
user := ctx.Value("user").(*model.User)
285-
reqPath, err = user.JoinPath(reqPath)
285+
reqPath, err = ResolvePath(user, reqPath)
286286
if err != nil {
287287
return 403, err
288288
}
@@ -321,7 +321,7 @@ func (h *Handler) handlePut(w http.ResponseWriter, r *http.Request) (status int,
321321
// comments in http.checkEtag.
322322
ctx := r.Context()
323323
user := ctx.Value("user").(*model.User)
324-
reqPath, err = user.JoinPath(reqPath)
324+
reqPath, err = ResolvePath(user, reqPath)
325325
if err != nil {
326326
return http.StatusForbidden, err
327327
}
@@ -375,7 +375,7 @@ func (h *Handler) handleMkcol(w http.ResponseWriter, r *http.Request) (status in
375375

376376
ctx := r.Context()
377377
user := ctx.Value("user").(*model.User)
378-
reqPath, err = user.JoinPath(reqPath)
378+
reqPath, err = ResolvePath(user, reqPath)
379379
if err != nil {
380380
return 403, err
381381
}
@@ -439,11 +439,11 @@ func (h *Handler) handleCopyMove(w http.ResponseWriter, r *http.Request) (status
439439

440440
ctx := r.Context()
441441
user := ctx.Value("user").(*model.User)
442-
src, err = user.JoinPath(src)
442+
src, err = ResolvePath(user, src)
443443
if err != nil {
444444
return 403, err
445445
}
446-
dst, err = user.JoinPath(dst)
446+
dst, err = ResolvePath(user, dst)
447447
if err != nil {
448448
return 403, err
449449
}
@@ -540,7 +540,7 @@ func (h *Handler) handleLock(w http.ResponseWriter, r *http.Request) (retStatus
540540
if err != nil {
541541
return status, err
542542
}
543-
reqPath, err = user.JoinPath(reqPath)
543+
reqPath, err = ResolvePath(user, reqPath)
544544
if err != nil {
545545
return 403, err
546546
}
@@ -623,7 +623,7 @@ func (h *Handler) handlePropfind(w http.ResponseWriter, r *http.Request) (status
623623
userAgent := r.Header.Get("User-Agent")
624624
ctx = context.WithValue(ctx, "userAgent", userAgent)
625625
user := ctx.Value("user").(*model.User)
626-
reqPath, err = user.JoinPath(reqPath)
626+
reqPath, err = ResolvePath(user, reqPath)
627627
if err != nil {
628628
return 403, err
629629
}
@@ -801,7 +801,7 @@ func (h *Handler) handleProppatch(w http.ResponseWriter, r *http.Request) (statu
801801

802802
ctx := r.Context()
803803
user := ctx.Value("user").(*model.User)
804-
reqPath, err = user.JoinPath(reqPath)
804+
reqPath, err = ResolvePath(user, reqPath)
805805
if err != nil {
806806
return 403, err
807807
}

0 commit comments

Comments
 (0)