sigoden/dufs
1
0
Fork 0
mirror of https://github.com/sigoden/dufs.git synced 2026-06-13 12:26:42 +03:00
Code Issues 65 Packages Projects Releases 10 Wiki Activity

[PR #719] [CLOSED] fix: 修复 v0.46.0 文件上传 404 错误(非存在路径跳过符号链接检查) #9105

New Issue
Closed
opened 2026-06-11 20:25:45 +03:00 by zhus · 0 comments
zhus commented 2026-06-11 20:25:45 +03:00
Owner
Copy Link
Copy Source

📋 Pull Request Information

Original PR: https://github.com/sigoden/dufs/pull/719
Author: @take7yo
Created: 6/11/2026
Status: Closed

Base: mainHead: fix/guard-root-contained-upload

📝 Commits (1)

  • 5beac77 fix: skip symlink guard for non-existent paths to restore upload functionality

📊 Changes

1 file changed (+3 additions, -1 deletions)

View changed files

📝 src/server.rs (+3 -1)

📄 Description

问题描述

PR #670 (commit a118c13) 引入了 guard_root_contained 方法,用于防止符号链接攻击。但该方法对所有请求无条件执行检查,包括尚不存在的路径,导致文件/文件夹上传功能失效。

复现步骤

  1. 使用 --allow-all 启动 dufs v0.46.0
  2. 通过 Web UI 上传文件到新目录
  3. 上传失败,返回 404 错误

根因分析

guard_root_contained 方法只检查直接父目录。当上传到新目录时:

  1. 路径 /a/b/c/file.txt 不存在
  2. 检查父目录 /a/b/c — 不存在
  3. fs::canonicalize 失败
  4. 守卫返回 true → 返回 404

在 v0.45.0 中,符号链接检查会在路径不存在时跳过(!is_miss 检查),允许上传操作创建新目录。

修复方案

guard_root_contained 调用前添加 !is_miss 检查:

// 修复前(v0.46.0 - 有 bug)
if self.guard_root_contained(path).await {

// 修复后(恢复 v0.45.0 行为)
if !is_miss && self.guard_root_contained(path).await {

修复效果

  • 允许上传文件到新目录
  • 允许上传嵌套文件夹(自动创建中间目录)
  • 允许 MKCOL 创建新目录
  • 对已存在路径仍执行符号链接安全检查

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/sigoden/dufs/pull/719 **Author:** [@take7yo](https://github.com/take7yo) **Created:** 6/11/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/guard-root-contained-upload` --- ### 📝 Commits (1) - [`5beac77`](https://github.com/sigoden/dufs/commit/5beac7719468d8544048baf86dc1af483328e73d) fix: skip symlink guard for non-existent paths to restore upload functionality ### 📊 Changes **1 file changed** (+3 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `src/server.rs` (+3 -1) </details> ### 📄 Description ## 问题描述 PR #670 (commit a118c13) 引入了 `guard_root_contained` 方法,用于防止符号链接攻击。但该方法对所有请求无条件执行检查,包括尚不存在的路径,导致文件/文件夹上传功能失效。 ### 复现步骤 1. 使用 `--allow-all` 启动 dufs v0.46.0 2. 通过 Web UI 上传文件到新目录 3. 上传失败,返回 404 错误 ### 根因分析 `guard_root_contained` 方法只检查**直接父目录**。当上传到新目录时: 1. 路径 `/a/b/c/file.txt` 不存在 2. 检查父目录 `/a/b/c` — 不存在 3. `fs::canonicalize` 失败 4. 守卫返回 `true` → 返回 404 在 v0.45.0 中,符号链接检查会在路径不存在时跳过(`!is_miss` 检查),允许上传操作创建新目录。 ## 修复方案 在 `guard_root_contained` 调用前添加 `!is_miss` 检查: ```rust // 修复前(v0.46.0 - 有 bug) if self.guard_root_contained(path).await { // 修复后(恢复 v0.45.0 行为) if !is_miss && self.guard_root_contained(path).await { ``` 修复效果 - ✅ 允许上传文件到新目录 - ✅ 允许上传嵌套文件夹(自动创建中间目录) - ✅ 允许 MKCOL 创建新目录 - ✅ 对已存在路径仍执行符号链接安全检查 --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
zhus added the pull-request label 2026-06-11 20:25:45 +03:00
zhus changed title from [PR #719] fix: 修复 v0.46.0 文件上传 404 错误(非存在路径跳过符号链接检查) to [PR #719] [CLOSED] fix: 修复 v0.46.0 文件上传 404 错误(非存在路径跳过符号链接检查) 2026-06-12 20:25:12 +03:00
zhus closed this issue 2026-06-12 20:25:12 +03:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
zhus (Sergey Zhukov)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sigoden/dufs#9105
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?