Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2025-12-22 17:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🔒 Disable HTTP access to the /assets/ path https://github.com/siyuan-note/siyuan/issues/15257

Browse source
This commit is contained in:
Daniel 2025-07-09 20:12:54 +08:00
parent 42b92bf7a2
commit 31f5797176
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
kernel/server/serve.go
View file

@ -475,6 +475,12 @@ func serveAssets(ginServer *gin.Engine) {
ginServer.GET("/assets/*path", model.CheckAuth, func(context *gin.Context) { ginServer.GET("/assets/*path", model.CheckAuth, func(context *gin.Context) {
requestPath := context.Param("path") requestPath := context.Param("path")
if "/" == requestPath || "" == requestPath {
// 禁止访问根目录 Disable HTTP access to the /assets/ path https://github.com/siyuan-note/siyuan/issues/15257
context.Status(http.StatusForbidden)
return
}
relativePath := path.Join("assets", requestPath) relativePath := path.Join("assets", requestPath)
p, err := model.GetAssetAbsPath(relativePath) p, err := model.GetAssetAbsPath(relativePath)
if err != nil { if err != nil {