Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

通过curl命令向/dav上传文件时,如果未指定后面的路径,会导致误删除存储中的所有文件。 #3569

Closed
4 tasks done
twoyang0917 opened this issue Feb 23, 2023 · 4 comments
Closed
4 tasks done

通过curl命令向/dav上传文件时,如果未指定后面的路径,会导致误删除存储中的所有文件。 #3569

twoyang0917 opened this issue Feb 23, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@twoyang0917
Copy link

Please make sure of the following things

  • I have read the documentation.
  • I'm sure there are no duplicate issues or discussions.
  • I'm sure it's due to alist and not something else(such as Dependencies or Operational).
  • I'm sure I'm using the latest version

Alist Version / Alist 版本

v3.11.0

Driver used / 使用的存储驱动

LocalStorage

Describe the bug / 问题描述

通过curl命令向/dav上传文件时,如果未指定后面的路径,会导致误删除存储中的所有文件。

Reproduction / 复现链接

当指定了文件在webdav存储的存放路径/或者路径和文件名/config.json时工作正常

curl -v -u 'admin:jA52VIbP' -T 'data/config.json' http://localhost:5244/dav/config.json
curl -v -u 'admin:jA52VIbP' -T 'data/config.json' http://localhost:5244/dav/
*   Trying 127.0.0.1:5244...
* Connected to localhost (127.0.0.1) port 5244 (#0)
* Server auth using Basic with user 'admin'
> PUT /dav/config.json HTTP/1.1
> Host: localhost:5244
> Authorization: Basic YWRtaW46akE1MlZJYlA=
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Thu, 23 Feb 2023 09:16:58 GMT
< Content-Length: 7
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host localhost left intact
Created%

但如果没有正确指定,只是前台报405 Method Not Allowed错误,后台没有报错。而实际上会删除存储下的所有文件。

 curl -v -u 'admin:jA52VIbP' -T 'data/config.json' http://localhost:5244/dav
*   Trying 127.0.0.1:5244...
* Connected to localhost (127.0.0.1) port 5244 (#0)
* Server auth using Basic with user 'admin'
> PUT /dav HTTP/1.1
> Host: localhost:5244
> Authorization: Basic YWRtaW46akE1MlZJYlA=
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Done waiting for 100-continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 405 Method Not Allowed
< Date: Thu, 23 Feb 2023 09:18:40 GMT
< Content-Length: 18
< Content-Type: text/plain; charset=utf-8
< Connection: close
<
* Closing connection 0
Method Not Allowed%

我挂载的根路径是Downloads目录,被清空了,好在没有什么很重要的东西。

Logs / 日志

No response
@twoyang0917 twoyang0917 added the bug Something isn't working label Feb 23, 2023
@welcome
Copy link

welcome bot commented Feb 23, 2023

Thanks for opening your first issue here! Be sure to follow the issue template!

@xhofe xhofe closed this as completed in 0d3146b Feb 23, 2023
@twoyang0917
Copy link
Author

还是有点问题,我再补充一下。

./alist version
Built At: 2023-02-23 14:41:59 +0000
Go Version: go1.19.6 linux/amd64
Author: Xhofe <[email protected]>
Commit ID: c8f3e8a
Version: v3.12.0
WebVersion: 3.12.0

升级到新版本之后,上面那个case已经修复了。

但是我试了下另外一个case,我在挂载的根路径Downloads下面,建了个test目录,再在下面建了个文件test.txt。

mkdir ~/Downloads/test
echo "test" > test.txt

然后尝试往这个test目录上传文件,如果后面跟上了/,则正常上传到test目录中。
如果没有后面的/,则会将文件上传到根路径Downloads中,重命名为test,并且覆盖掉test目录。这样也会导致误删除子目录中的数据。

curl -v -u 'admin:jA52VIbP' -T 'data/config.json' http://localhost:5244/dav/test
*   Trying 127.0.0.1:5244...
* Connected to localhost (127.0.0.1) port 5244 (#0)
* Server auth using Basic with user 'admin'
> PUT /dav/test HTTP/1.1
> Host: localhost:5244
> Authorization: Basic YWRtaW46akE1MlZJYlA=
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Fri, 24 Feb 2023 06:45:22 GMT
< Content-Length: 7
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host localhost left intact
Created%

所以感觉本质问题应该是如果存在与上传文件名同名的会覆盖(不论文件还是目录)。

我怕是我有什么误解,可能webdav本身就是这样工作的。于是我试了一下apache的webdav的行为,发现它的行为是如果是同名文件则会覆盖,如果是同名目录则不会覆盖,结果如下。

curl -T test.json http://localhost/test
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> PUT /test HTTP/1.1
> Host: localhost
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 24 Feb 2023 07:11:00 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 252
< Connection: keep-alive
< Location: http://localhost/test/
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://localhost/test/">here</a>.</p>
</body></html>
* Connection #0 to host localhost left intact

@xhofe
Copy link
Collaborator

xhofe commented Feb 24, 2023
edited
Loading

还是有点问题,我再补充一下。

./alist version
Built At: 2023-02-23 14:41:59 +0000
Go Version: go1.19.6 linux/amd64
Author: Xhofe <[email protected]>
Commit ID: c8f3e8a
Version: v3.12.0
WebVersion: 3.12.0

升级到新版本之后,上面那个case已经修复了。

但是我试了下另外一个case,我在挂载的根路径Downloads下面,建了个test目录,再在下面建了个文件test.txt。

mkdir ~/Downloads/test
echo "test" > test.txt

然后尝试往这个test目录上传文件,如果后面跟上了/,则正常上传到test目录中。 如果没有后面的/,则会将文件上传到根路径Downloads中,重命名为test,并且覆盖掉test目录。这样也会导致误删除子目录中的数据。

curl -v -u 'admin:jA52VIbP' -T 'data/config.json' http://localhost:5244/dav/test
*   Trying 127.0.0.1:5244...
* Connected to localhost (127.0.0.1) port 5244 (#0)
* Server auth using Basic with user 'admin'
> PUT /dav/test HTTP/1.1
> Host: localhost:5244
> Authorization: Basic YWRtaW46akE1MlZJYlA=
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Fri, 24 Feb 2023 06:45:22 GMT
< Content-Length: 7
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host localhost left intact
Created%

所以感觉本质问题应该是如果存在与上传文件名同名的会覆盖(不论文件还是目录)。

我怕是我有什么误解,可能webdav本身就是这样工作的。于是我试了一下apache的webdav的行为,发现它的行为是如果是同名文件则会覆盖,如果是同名目录则不会覆盖,结果如下。

curl -T test.json http://localhost/test
*   Trying 127.0.0.1:80...
* Connected to localhost (127.0.0.1) port 80 (#0)
> PUT /test HTTP/1.1
> Host: localhost
> User-Agent: curl/7.84.0
> Accept: */*
> Content-Length: 747
> Expect: 100-continue
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 Continue
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Date: Fri, 24 Feb 2023 07:11:00 GMT
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 252
< Connection: keep-alive
< Location: http://localhost/test/
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://localhost/test/">here</a>.</p>
</body></html>
* Connection #0 to host localhost left intact

你这本身就是非法行为,正常的webdav client都不会这么做,因为webdav put 后面的path本来就应该是完整的路径且包含上传的文件名。

你put http://localhost:5244/dav/test 的时候就会解析为,向/目录上传一个名为test的文件

@twoyang0917
Copy link
Author

好吧😮‍💨 我有个使用场景比较特殊,在服务器之间做文件交换,就是用curl去上传/下载。

varg1714 pushed a commit to varg1714/alist that referenced this issue Feb 26, 2023
@xhofe @walleoo
fix(webdav): disable put with empty path (close AlistGo#3569)
607e63c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@twoyang0917 @xhofe