安全修复：加固CSRF与凭证保护并修复越权风险

2026-02-16 01:19:43 +08:00
parent 14b506e8a1
commit 1389ec7434
22 changed files with 375 additions and 83 deletions
--- a/api_browser.py
+++ b/api_browser.py
@@ -117,7 +117,11 @@ def get_cookie_jar_path(username: str) -> str:
    """获取截图用的 cookies 文件路径（Netscape Cookie 格式）"""
    import hashlib

-    os.makedirs(COOKIES_DIR, exist_ok=True)
+    os.makedirs(COOKIES_DIR, mode=0o700, exist_ok=True)
+    try:
+        os.chmod(COOKIES_DIR, 0o700)
+    except Exception:
+        pass
    filename = hashlib.sha256(username.encode()).hexdigest()[:32] + ".cookies.txt"
    return os.path.join(COOKIES_DIR, filename)

@@ -260,6 +264,10 @@ class APIBrowser:

            with open(cookies_path, "w", encoding="utf-8") as f:
                f.write("\n".join(lines) + "\n")
+            try:
+                os.chmod(cookies_path, 0o600)
+            except Exception:
+                pass

            self.log(f"[API] Cookies已保存供截图使用")
            return True