From 6218e492781d1c288c626efe4dfdf12950dd8c48 Mon Sep 17 00:00:00 2001
From: Menci <huanghaorui301@gmail.com>
Date: Thu, 30 May 2019 21:18:33 +0800
Subject: [PATCH] Deny downloading from wrong host

---
 modules/api_v2.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/modules/api_v2.js b/modules/api_v2.js
index e5c6a26..3f6aa39 100644
--- a/modules/api_v2.js
+++ b/modules/api_v2.js
@@ -1,4 +1,5 @@
 const jwt = require('jsonwebtoken');
+const url = require('url');
 
 app.get('/api/v2/search/users/:keyword*?', async (req, res) => {
   try {
@@ -120,6 +121,10 @@ app.apiRouter.get('/api/v2/download/:token', async (req, res) => {
   try {
     const token = req.params.token, data = jwt.decode(token);
     if (!data) throw new ErrorMessage("无效的令牌。");
+    if (url.parse(syzoj.utils.getCurrentLocation(req, true)).href !== url.parse(syzoj.config.site_for_download).href) {
+      throw new ErrorMessage("无效的下载地址。");
+    }
+
     if (verifyJWT(token)) {
       res.download(data.filename, data.sendName);
     } else {