admtracksteel/BotVPS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: allow pwd query param on host_file to bypass header auth for img tags

Browse Source
This commit is contained in:
Marcos
2026-03-22 00:08:52 -03:00
parent cc61da67d9
commit 0fa6ba954d
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
main.py
View File

@@ -150,12 +150,19 @@ async def get_audio_file(filename: str):
raise HTTPException(status_code=404, detail="Arquivo de áudio não encontrado.") raise HTTPException(status_code=404, detail="Arquivo de áudio não encontrado.")
@app.get("/api/host_file") @app.get("/api/host_file")
async def get_host_file(path: str, is_auth: bool = Depends(verify_password)): async def get_host_file(path: str, pwd: str = None, x_web_password: str = Header(None)):
"""Serve arquivos (como imagens) da máquina host para exibir no painel de insights.""" """Serve arquivos (como imagens) da máquina host para exibir no painel de insights."""
# Autenticação dupla: via Header (fetch) ou via Query Parâmetro (tag img)
cfg = get_config()
saved_pwd = cfg.get("web_password", "@@Gi05Br;;")
auth_token = pwd or x_web_password
if not auth_token or auth_token != saved_pwd:
raise HTTPException(status_code=401, detail="Não autorizado")
host_path = f"/host_root{path}" if not path.startswith("/host_root") else path host_path = f"/host_root{path}" if not path.startswith("/host_root") else path
# Previne directory traversal básico garantindo que comece com /host_root # Previne directory traversal básico garantindo que comece com /host_root
if not host_path.startswith("/host_root"): if not host_path.startswith("/host_root") or ".." in host_path:
raise HTTPException(status_code=400, detail="Caminho inválido.") raise HTTPException(status_code=400, detail="Caminho inválido.")
if os.path.isfile(host_path): if os.path.isfile(host_path):