From 2185839236af9bcac2ffaa7bb14ea0f61762c0eb Mon Sep 17 00:00:00 2001
From: Noah Hsu <i@nn.ci>
Date: Sun, 18 Sep 2022 20:17:24 +0800
Subject: [PATCH] chore: safe base64 decode ipa name

---
 pkg/utils/hash.go        | 19 +++++++++++++++++++
 server/handles/helper.go | 24 ++++++++++--------------
 2 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/pkg/utils/hash.go b/pkg/utils/hash.go
index 1ebcedf3986..6a61d6bab7a 100644
--- a/pkg/utils/hash.go
+++ b/pkg/utils/hash.go
@@ -3,7 +3,9 @@ package utils
 import (
 	"crypto/md5"
 	"crypto/sha1"
+	"encoding/base64"
 	"encoding/hex"
+	"strings"
 )
 
 func GetSHA1Encode(data string) string {
@@ -17,3 +19,20 @@ func GetMD5Encode(data string) string {
 	h.Write([]byte(data))
 	return hex.EncodeToString(h.Sum(nil))
 }
+
+var DEC = map[string]string{
+	"-": "+",
+	"_": "/",
+	".": "=",
+}
+
+func SafeAtob(data string) (string, error) {
+	for k, v := range DEC {
+		data = strings.ReplaceAll(data, k, v)
+	}
+	bytes, err := base64.StdEncoding.DecodeString(data)
+	if err != nil {
+		return "", err
+	}
+	return string(bytes), err
+}
diff --git a/server/handles/helper.go b/server/handles/helper.go
index 66d0304863a..0664968af7e 100644
--- a/server/handles/helper.go
+++ b/server/handles/helper.go
@@ -1,13 +1,13 @@
 package handles
 
 import (
-	"encoding/base64"
 	"fmt"
 	"net/url"
 	"strings"
 
 	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/setting"
+	"github.com/alist-org/alist/v3/pkg/utils"
 	"github.com/alist-org/alist/v3/server/common"
 	"github.com/gin-gonic/gin"
 )
@@ -16,30 +16,26 @@ func Favicon(c *gin.Context) {
 	c.Redirect(302, setting.GetStr(conf.Favicon))
 }
 
-var DEC = map[string]string{
-	"-": "+",
-	"_": "/",
-	".": "=",
-}
-
 func Plist(c *gin.Context) {
 	link := c.Param("link")
-	for k, v := range DEC {
-		link = strings.ReplaceAll(link, k, v)
-	}
-	u, err := base64.StdEncoding.DecodeString(link)
+	u, err := utils.SafeAtob(link)
 	if err != nil {
-		common.ErrorResp(c, err, 500)
+		common.ErrorResp(c, err, 400)
 		return
 	}
-	uUrl, err := url.Parse(string(u))
+	uUrl, err := url.Parse(u)
 	if err != nil {
-		common.ErrorResp(c, err, 500)
+		common.ErrorResp(c, err, 400)
 		return
 	}
 	fullName := c.Param("name")
 	Url := uUrl.String()
 	fullName = strings.TrimSuffix(fullName, ".plist")
+	fullName, err = utils.SafeAtob(fullName)
+	if err != nil {
+		common.ErrorResp(c, err, 400)
+		return
+	}
 	name := fullName
 	identifier := fmt.Sprintf("ci.nn.%s", url.PathEscape(fullName))
 	sep := "@"