Dev/aibot/bug fix (#2086)

* 添加为windows的环境打包以及一键启动脚本 (#2068) * 新增自动打包windows下的环境依赖 --------- Co-authored-by: binary-husky <qingxu.fu@outlook.com> * update requirements * update readme * idor-vuln-bug-fix * vuln-bug-fix: validate file size, default 500M * add tts test * remove welcome card when layout overflows --------- Co-authored-by: Menghuan <menghuan2003@outlook.com> Co-authored-by: binary-husky <qingxu.fu@outlook.com> Co-authored-by: aibot <hangyuntang@qq.com>
2024-12-23 10:17:43 +08:00
parent 060af0d2e6
commit 4fe638ffa8
16 changed files with 54 additions and 16 deletions
--- a/shared_utils/fastapi_server.py
+++ b/shared_utils/fastapi_server.py
@@ -51,7 +51,7 @@ def validate_path_safety(path_or_url, user):
    from toolbox import get_conf, default_user_name
    from toolbox import FriendlyException
    PATH_PRIVATE_UPLOAD, PATH_LOGGING = get_conf('PATH_PRIVATE_UPLOAD', 'PATH_LOGGING')
-    sensitive_path = None
+    sensitive_path = None   # 必须不能包含 '/'，即不能是多级路径
    path_or_url = os.path.relpath(path_or_url)
    if path_or_url.startswith(PATH_LOGGING):    # 日志文件（按用户划分）
        sensitive_path = PATH_LOGGING