Browse Source

Deny downloading from wrong host

pull/6/head
Menci 6 years ago
parent
commit
6218e49278
  1. 5
      modules/api_v2.js

5
modules/api_v2.js

@ -1,4 +1,5 @@
const jwt = require('jsonwebtoken'); const jwt = require('jsonwebtoken');
const url = require('url');
app.get('/api/v2/search/users/:keyword*?', async (req, res) => { app.get('/api/v2/search/users/:keyword*?', async (req, res) => {
try { try {
@ -120,6 +121,10 @@ app.apiRouter.get('/api/v2/download/:token', async (req, res) => {
try { try {
const token = req.params.token, data = jwt.decode(token); const token = req.params.token, data = jwt.decode(token);
if (!data) throw new ErrorMessage("无效的令牌。"); if (!data) throw new ErrorMessage("无效的令牌。");
if (url.parse(syzoj.utils.getCurrentLocation(req, true)).href !== url.parse(syzoj.config.site_for_download).href) {
throw new ErrorMessage("无效的下载地址。");
}
if (verifyJWT(token)) { if (verifyJWT(token)) {
res.download(data.filename, data.sendName); res.download(data.filename, data.sendName);
} else { } else {

Loading…
Cancel
Save