chore(downloads): C1+C2 — drop dead target_ext; centralize path-traversal guard
- C1: remove downloads/formats.py target_ext() — defined but never called (the worker derives the real extension from the produced file's suffix). - C2: the download-root containment+existence guard was copy-pasted 6× across the file-serving endpoints (routes/downloads.py ×3, routes/public.py ×3). Extract storage.safe_abs_path(root, rel) -> Path|None so this security-sensitive check lives in one place; behavior identical (same containment test + messages). The extraction also made `pathlib.Path` unused in both route modules (removed).
This commit is contained in:
parent
c2a2c98f16
commit
2a44db04d8
4 changed files with 23 additions and 28 deletions
|
|
@ -80,14 +80,6 @@ def format_sig(spec: dict) -> str:
|
|||
return hashlib.sha256(payload.encode()).hexdigest()[:24]
|
||||
|
||||
|
||||
def target_ext(spec: dict) -> str:
|
||||
"""Best-effort final extension for the produced file (also used to name the staging output)."""
|
||||
s = normalize(spec)
|
||||
if s["mode"] == "a":
|
||||
return s["audio_format"] or "m4a"
|
||||
return s["container"] or "mp4"
|
||||
|
||||
|
||||
def build_ydl_opts(
|
||||
spec: dict,
|
||||
outtmpl: str,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue