From 6218e492781d1c288c626efe4dfdf12950dd8c48 Mon Sep 17 00:00:00 2001 From: Menci Date: Thu, 30 May 2019 21:18:33 +0800 Subject: [PATCH] Deny downloading from wrong host --- modules/api_v2.js | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/api_v2.js b/modules/api_v2.js index e5c6a26..3f6aa39 100644 --- a/modules/api_v2.js +++ b/modules/api_v2.js @@ -1,4 +1,5 @@ const jwt = require('jsonwebtoken'); +const url = require('url'); app.get('/api/v2/search/users/:keyword*?', async (req, res) => { try { @@ -120,6 +121,10 @@ app.apiRouter.get('/api/v2/download/:token', async (req, res) => { try { const token = req.params.token, data = jwt.decode(token); if (!data) throw new ErrorMessage("无效的令牌。"); + if (url.parse(syzoj.utils.getCurrentLocation(req, true)).href !== url.parse(syzoj.config.site_for_download).href) { + throw new ErrorMessage("无效的下载地址。"); + } + if (verifyJWT(token)) { res.download(data.filename, data.sendName); } else {