fix: prevent BOM character loss in path concatenation#322
Merged
deepin-bot[bot] merged 1 commit intoJun 24, 2026
Conversation
Use std::string for directory path concatenation to avoid QString's normalization of UTF-8 BOM (U+FEFF / zero-width no-break space). 使用 std::string 进行路径拼接,避免 QString 对 UTF-8 BOM (零宽不换行空格) 的规范化导致字节丢失。 Log: 修复路径拼接时 BOM 字符丢失的问题 Bug: https://pms.uniontech.com//bug-view-367075.html Influence: 修复后包含 BOM/零宽不换行空格的路径能正确拼接,避免文件操作失败。
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Sorry @liyigang1, you have reached your weekly rate limit of 500000 diff characters.
Please try again later or upgrade to continue using Sourcery
deepin pr auto review用户要求对提供的代码diff进行深度审核,并严格按照指定格式输出报告。 提供的diff是对`src/dfm-io/dfm-io/denumerator.cpp`中`DEnumeratorPrivate::buildUrl`函数的修改。分析diff: QUrl DEnumeratorPrivate::buildUrl(const QUrl &url, const char *fileName)
{
QString path;
if (url.path() == "/") {
path = "/" + QString(fileName);
} else {
QString dirPath = url.path();
path = dirPath.endsWith('/') ? dirPath + QString(fileName) : dirPath + "/" + QString(fileName);
}
// ...新代码: QUrl DEnumeratorPrivate::buildUrl(const QUrl &url, const char *fileName)
{
// 防御空指针,避免std::string或QByteArray构造时崩溃
if (!fileName) {
return QUrl();
}
// 拦截路径遍历攻击,防止恶意文件名越权
QByteArray fileNameBa(fileName);
// 拦截路径遍历攻击:禁止文件名中包含任何路径分隔符或连续点号,从根源阻断目录穿越
if (fileNameBa.contains('/') || fileNameBa.contains('\\') || fileNameBa == "." || fileNameBa == "..") {
return QUrl();
}
QByteArray path;
QString urlPath = url.path();
if (urlPath == "/" || urlPath.isEmpty()) {
path = QByteArray("/") + fileNameBa;
} else {
QByteArray dirPath = urlPath.toUtf8();
if (!dirPath.endsWith('/')) {
dirPath.append('/');
}
// 使用QByteArray进行底层字节数组拼接,避免QString剥离BOM (efbbbf)
path = dirPath + fileNameBa;
}
// 保留原始 URL 的 scheme 和 host,而不是假定为本地文件
|
max-lvs
approved these changes
Jun 24, 2026
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: liyigang1, max-lvs The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
Contributor
Author
|
/forcemerge |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use std::string for directory path concatenation to avoid QString's normalization of UTF-8 BOM (U+FEFF / zero-width no-break space).
使用 std::string 进行路径拼接,避免 QString 对 UTF-8 BOM
(零宽不换行空格) 的规范化导致字节丢失。
Log: 修复路径拼接时 BOM 字符丢失的问题
Bug: https://pms.uniontech.com//bug-view-367075.html
Influence: 修复后包含 BOM/零宽不换行空格的路径能正确拼接,避免文件操作失败。