API 鉴权漏洞修复

yisier · Dec 30, 2022 · ab81f5b · ab81f5b
1 parent ae2010c
commit ab81f5b
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -14,6 +14,10 @@
 
 ## 更新日志
 
+- 2022-12-30  v0.26.14  
+  ***修复***：API 鉴权漏洞修复
+
+
 - 2022-12-19  
 ***修复***：某些场景下丢包导致服务端意外退出  
 ***优化***：新增隧道时，不指定服务端口时，将自动生成端口号  

diff --git a/lib/version/version.go b/lib/version/version.go
@@ -1,6 +1,6 @@
 package version
 
-const VERSION = "0.26.13"
+const VERSION = "0.26.14"
 
 // Compulsory minimum version, Minimum downward compatibility to this version
 func GetVersion() string {

diff --git a/web/controllers/base.go b/web/controllers/base.go
@@ -32,6 +32,9 @@ func (s *BaseController) Prepare() {
 	md5Key := s.getEscapeString("auth_key")
 	timestamp := s.GetIntNoErr("timestamp")
 	configKey := beego.AppConfig.String("auth_key")
+	if configKey == "" {
+		configKey = crypt.GetRandomString(64)
+	}
 	timeNowUnix := time.Now().Unix()
 	if !(md5Key != "" && (math.Abs(float64(timeNowUnix-int64(timestamp))) <= 20) && (crypt.Md5(configKey+strconv.Itoa(timestamp)) == md5Key)) {
 		if s.GetSession("auth") != true {