优化json输出，关闭默认入口，增加目录逃逸判断

fsv2/handler/serverinfo.go

@@ -2,19 +2,19 @@ package handler
 
 import (
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
-	"strings"
 	"xtcfs/config"
+	"xtcfs/util"
 )
 
 // json 结构体
 type Response struct {
-	Status string        `json:"status"` //状态
+	Status   string        `json:"status"`  //状态
-	Data   FilesListJson `json:"data"`   //目录下的文件
+	Data     FilesListJson `json:"data"`    //目录下的文件
-	Scdir  string        `json:"curdir"` // 扫描的目录
+	Curdir   string        `json:"curdir"`  // 扫描的目录
+	WorksDir string        `json:"workdir"` //监听目录
 }
 
 // 文件输出的结构
@@ -30,13 +30,13 @@ type FilesListJson struct {
 // 遍历监视目录，发送到json中
 func SerInfo(w http.ResponseWriter, r *http.Request) {
 	// 监听的目录通过?p=的方式传入
-	//urlpath := r.Header.Get("p")
 	urlpath := r.URL.Query().Get("p")
-	upath := strings.TrimSuffix(urlpath, "nf")
+	// 防止逃逸，造成漏洞
-	fmt.Printf("upath is %s\n", upath)
+	if urlpath == ".." {
+		urlpath = "."
+	}
 	// 监听的根目录
-	realFilePath := filepath.Join(config.G.FilePath, upath)
+	realFilePath := filepath.Join(config.G.FilePath, urlpath)
-	downloadPath := filepath.Join(filepath.Base(config.G.FilePath), r.URL.Path[1:])
 	// 时间目录的情况
 	fileInfo, err := os.Stat(realFilePath)
 	if err != nil {
@@ -44,58 +44,33 @@ func SerInfo(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	data := struct {
-		Rundir       string
-		IsDir        bool
-		FileName     string
-		DownloadPath string
-		// Files        []os.DirEntry
-	}{
-		Rundir:       config.G.FilePath,
-		DownloadPath: downloadPath,
-	}
-
 	// list json
 	var flist FilesListJson
-
+	//针对目录的情况才输出
+	// todo 如果是文件的话 暂时不处理
 	if fileInfo.IsDir() {
-		data.IsDir = true
 		// 遍历目录
 		files, err := os.ReadDir(realFilePath)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
-		// data.Files = files
+		// 遍历
-
 		for _, v := range files {
 			flist.Flist = append(flist.Flist, FileJson{Fname: v.Name(), Dirflag: v.IsDir()})
 		}
 
-	} else {
-		data.FileName = filepath.Base(realFilePath)
 	}
 
 	// respone file list
 	response := Response{
-		Status: "success",
+		Status:   "success",
-		Scdir:  upath,
+		Curdir:   urlpath,
-		Data:   flist,
+		WorksDir: config.G.FilePath,
-	}
+		Data:     flist,
-	// 设置跨域响应头
-	w.Header().Set("Access-Control-Allow-Origin", "*")
-	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS,PUT,DELETET")
-	// w.Header().Set("Access-Control-Allow-Headers", "Content-Type,Accept,Accept-Length,Accept-Encoding,X-XSRF-TOKEN,X-XSRF-TOKEN")
-	w.Header().Set("Access-Control-Allow-Headers", "*")
-	//
-	w.Header().Set("Content-Type", "application/json")
-
-	// 如果是OPTIONS请求，返回200 OK
-	if r.Method == "OPTIONS" {
-		// fmt.Printf("options is now \n")
-		// w.WriteHeader(http.StatusOK)
-		return
 	}
 
+	// 开启跨域
+	util.CorsHadler(w, r)
 	json.NewEncoder(w).Encode(response)
 }

fsv2/main.go

@@ -26,7 +26,7 @@ func receiveClient() error {
 	//go discovery.Listen()
 
 	// 显示状态等
-	http.HandleFunc("/", handler.ReceiveHandler)
+	// http.HandleFunc("/", handler.ReceiveHandler)
 	// 服务信息
 	http.HandleFunc("/sc", handler.SerInfo)
 	// 开启web 服务，

fsv2/util/util.go

@@ -5,6 +5,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
+	"net/http"
 	"os"
 	"path"
 	"path/filepath"
@@ -206,3 +207,21 @@ func IsFileExist(filename string) bool {
 	}
 	return false
 }
+
+// 跨域函数
+func CorsHadler(w http.ResponseWriter, r *http.Request) {
+	// 设置跨域响应头
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Access-Control-Allow-Methods", "GET, POST, OPTIONS,PUT,DELETET")
+	// w.Header().Set("Access-Control-Allow-Headers", "Content-Type,Accept,Accept-Length,Accept-Encoding,X-XSRF-TOKEN,X-XSRF-TOKEN")
+	w.Header().Set("Access-Control-Allow-Headers", "*")
+	//
+	w.Header().Set("Content-Type", "application/json")
+
+	// 如果是OPTIONS请求，返回200 OK
+	if r.Method == "OPTIONS" {
+		// fmt.Printf("options is now \n")
+		// w.WriteHeader(http.StatusOK)
+		return
+	}
+}