fix: allow pwd query param on host_file to bypass header auth for img tags

2026-03-22 00:08:52 -03:00
parent cc61da67d9
commit 0fa6ba954d
1 changed files with 9 additions and 2 deletions
--- a/main.py
+++ b/main.py
@@ -150,12 +150,19 @@ async def get_audio_file(filename: str):
    raise HTTPException(status_code=404, detail="Arquivo de áudio não encontrado.")

@app.get("/api/host_file")
-async def get_host_file(path: str, is_auth: bool = Depends(verify_password)):
+async def get_host_file(path: str, pwd: str = None, x_web_password: str = Header(None)):
    """Serve arquivos (como imagens) da máquina host para exibir no painel de insights."""
+    # Autenticação dupla: via Header (fetch) ou via Query Parâmetro (tag img)
+    cfg = get_config()
+    saved_pwd = cfg.get("web_password", "@@Gi05Br;;")
+    auth_token = pwd or x_web_password
+    if not auth_token or auth_token != saved_pwd:
+         raise HTTPException(status_code=401, detail="Não autorizado")
+
    host_path = f"/host_root{path}" if not path.startswith("/host_root") else path
    
    # Previne directory traversal básico garantindo que comece com /host_root
-    if not host_path.startswith("/host_root"):
+    if not host_path.startswith("/host_root") or ".." in host_path:
         raise HTTPException(status_code=400, detail="Caminho inválido.")
         
    if os.path.isfile(host_path):