shinonomeow
diff --git a/‎backend/src/main.py‎
Lines changed: 0 additions & 20 deletions b/‎backend/src/main.py‎
Lines changed: 0 additions & 20 deletions
diff --git a/‎backend/src/module/ab_decorator/__init__.py‎
Lines changed: 0 additions & 44 deletions b/‎backend/src/module/ab_decorator/__init__.py‎
Lines changed: 0 additions & 44 deletions
diff --git a/‎backend/src/module/ab_decorator/timeout.py‎
Lines changed: 0 additions & 23 deletions b/‎backend/src/module/ab_decorator/timeout.py‎
Lines changed: 0 additions & 23 deletions
diff --git a/‎backend/src/module/api/auth.py‎
Lines changed: 6 additions & 2 deletions b/‎backend/src/module/api/auth.py‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎backend/src/module/api/bangumi.py‎
Lines changed: 52 additions & 2 deletions b/‎backend/src/module/api/bangumi.py‎
Lines changed: 52 additions & 2 deletions
diff --git a/‎backend/src/module/api/log.py‎
Lines changed: 3 additions & 3 deletions b/‎backend/src/module/api/log.py‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎backend/src/module/api/rss.py‎
Lines changed: 0 additions & 1 deletion b/‎backend/src/module/api/rss.py‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎backend/src/module/api/search.py‎
Lines changed: 2 additions & 1 deletion b/‎backend/src/module/api/search.py‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎backend/src/module/checker/checker.py‎
Lines changed: 1 addition & 1 deletion b/‎backend/src/module/checker/checker.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎backend/src/module/conf/config.py‎
Lines changed: 1 addition & 2 deletions b/‎backend/src/module/conf/config.py‎
Lines changed: 1 addition & 2 deletions
@@ -1,6 +1,5 @@
 import logging
 import os
-from pathlib import Path
 
 import uvicorn
 from fastapi import FastAPI, Request
@@ -9,7 +8,6 @@
 from fastapi.templating import Jinja2Templates
 from module.api import lifespan, v1
 from module.conf import VERSION, settings, setup_logger
-from module.network import load_image
 
 setup_logger(reset=True)
 logger = logging.getLogger(__name__)
@@ -40,26 +38,9 @@ def create_app() -> FastAPI:
 app = create_app()
 
 
-@app.get("/posters/{path:path}", tags=["posters"])
-async def posters(path: str):
-
-    # FIX: 有严重的安全问题, 需要修复
-    # 例: "../index.html" 可以访问到根目录的文件"
-    # TODO: 由于只有取的时候才会下载,所以会导致第一次请求的时候没有图片
-    post_path = Path("data/posters") / path
-    if not post_path.exists():
-        await load_image(path)
-    if post_path.exists():
-        return FileResponse(post_path)
-    else:
-        # TODO: 404
-        return FileResponse("")
-
-
 if VERSION != "DEV_VERSION":
     app.mount("/assets", StaticFiles(directory="dist/assets"), name="assets")
     app.mount("/images", StaticFiles(directory="dist/images"), name="images")
-    # app.mount("/icons", StaticFiles(directory="dist/icons"), name="icons")
     templates = Jinja2Templates(directory="dist")
 
     @app.get("/{path:path}")
@@ -89,4 +70,3 @@ def index():
         port=settings.program.webui_port,
         log_config=uvicorn_logging_config,
     )
-    
@@ -22,8 +22,9 @@
 @router.post("/login", response_model=dict)
 async def login(response: Response, form_data=Depends(OAuth2PasswordRequestForm)):
     user = User(username=form_data.username, password=form_data.password)
-    
+
     from module.database import Database
+
     with Database() as db:
         try:
             stored_user = db.user.get_user(user.username)
@@ -45,7 +46,10 @@ async def login(response: Response, form_data=Depends(OAuth2PasswordRequestForm)
             else:
                 active_user.append(user.username)
                 resp = ResponseModel(
-                    status_code=200, status=True, msg_en="Login successfully", msg_zh="登录成功"
+                    status_code=200,
+                    status=True,
+                    msg_en="Login successfully",
+                    msg_zh="登录成功",
                 )
 
     if resp.status:
 
@@ -1,15 +1,20 @@
-from fastapi import APIRouter, Depends
-from fastapi.responses import JSONResponse
+import logging
+from pathlib import Path
+
+from fastapi import APIRouter, Depends, HTTPException
+from fastapi.responses import FileResponse, JSONResponse
 from sqlalchemy.util.concurrency import asyncio
 
 from module.database import Database, engine
 from module.manager import BangumiManager
 from module.models import APIResponse, Bangumi, BangumiUpdate, ResponseModel
+from module.network import load_image
 from module.security.api import get_current_user
 
 from .response import u_response
 
 router = APIRouter(prefix="/bangumi", tags=["bangumi"])
+logger = logging.getLogger(__name__)
 
 
 # def str_to_list(data: Bangumi):
@@ -226,3 +231,48 @@ async def reset_all():
                 "msg_zh": "重置所有规则成功。",
             },
         )
+
+
+@router.get("/poster/{path:path}", dependencies=[Depends(get_current_user)])
+async def get_poster(path: str):
+    """
+    安全的poster图片访问端点
+    - 添加了用户鉴权
+    - 防止路径遍历攻击
+    - 限制只能访问posters目录下的文件
+    """
+    # 验证路径安全性 - 阻止路径遍历
+    if ".." in path or path.startswith("/") or "\\" in path:
+        logger.warning(f"[Poster] Blocked path traversal attempt: {path}")
+        raise HTTPException(status_code=400, detail="Invalid path")
+
+    # 构建安全的文件路径
+    poster_dir = Path("data/posters")
+    post_path = poster_dir / Path(path)
+
+    # 确保解析后的路径仍在预期目录内
+    try:
+        post_path.resolve().relative_to(poster_dir.resolve())
+    except ValueError:
+        logger.warning(f"[Poster] Path outside allowed directory: {path}")
+        raise HTTPException(status_code=400, detail="Path outside allowed directory")
+
+    logger.debug(f"[Poster] Accessing poster: {post_path}")
+
+    # 如果文件不存在，尝试下载
+    if not post_path.exists():
+        try:
+            await load_image(path)
+        except Exception as e:
+            logger.warning(f"[Poster] Failed to load image {path}: {e}")
+
+    # 返回文件
+    if post_path.exists() and post_path.is_file():
+        return FileResponse(
+            post_path,
+            media_type="image/jpeg",
+            headers={"Cache-Control": "public, max-age=86400"},  # 缓存1天
+        )
+    else:
+        logger.warning(f"[Poster] File not found: {post_path}")
+        raise HTTPException(status_code=404, detail="Poster not found")
@@ -14,13 +14,13 @@ async def get_log():
         try:
             with open(LOG_PATH, "r", encoding="utf-8") as f:
                 lines = f.readlines()
-            
+
             # 只返回最后200行
             last_lines = lines[-200:] if len(lines) > 200 else lines
             content = "".join(last_lines)
-            
+
             return Response(content, media_type="text/plain; charset=utf-8")
-            
+
         except Exception as e:
             return Response(f"Error reading log file: {str(e)}", status_code=500)
     else:
 
@@ -254,7 +254,6 @@ async def analysis(rss: RSSItem):
 async def download_collection(data: Bangumi):
     resp = await engine.download_bangumi(bangumi=data)
 
-    
     # TODO: resp 要等后面统一改
 
     if resp:
 
@@ -1,10 +1,11 @@
+import logging
+
 from fastapi import APIRouter, Depends, Query
 from sse_starlette.sse import EventSourceResponse
 
 from module.models import Bangumi
 from module.searcher import SEARCH_CONFIG, SearchTorrent
 from module.security.api import UNAUTHORIZED, get_current_user
-import logging
 
 logger = logging.getLogger("api.search")
 
 
@@ -65,5 +65,5 @@ def check_img_cache() -> bool:
 
 if __name__ == "__main__":
     import asyncio
-    pass
 
+    pass
@@ -19,7 +19,7 @@
 
 from .const import ENV_TO_ATTR
 
-T_BaseModel = TypeVar('T_BaseModel', bound=BaseModel)
+T_BaseModel = TypeVar("T_BaseModel", bound=BaseModel)
 
 logger = logging.getLogger(__name__)
 
@@ -123,7 +123,6 @@ def update_config(base_config: BaseModel | dict, data: dict):
 
 
 class Settings(Config):
-
     # def __init__(self):
     #     super().__init__()
     def __init__(self, **data):