From b7dddfb750e3d90e2c92f22a274d227f504c28a1 Mon Sep 17 00:00:00 2001 From: wangbo Date: Tue, 31 Mar 2026 15:04:56 +0800 Subject: [PATCH] =?UTF-8?q?fix(https):=20=E4=BF=AE=E5=A4=8D=E5=9F=9F?= =?UTF-8?q?=E5=90=8D=E6=8F=90=E5=8F=96=E6=90=BA=E5=B8=A6=E5=88=86=E5=8F=B7?= =?UTF-8?q?=E5=AF=BC=E8=87=B4=E8=AF=81=E4=B9=A6=E7=94=B3=E8=AF=B7=E5=A4=B1?= =?UTF-8?q?=E8=B4=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修正 https.sh 中 server_name 提取与 certbot 参数构建逻辑,避免将 `credit99.cn;` 等非法域名传给 certbot;同时在 start.sh 增加域名规范化与格式校验,提前拦截协议前缀、路径和分号等脏输入。 Made-with: Cursor --- https.sh | 19 +++++++++++++++---- start.sh | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 4 deletions(-) diff --git a/https.sh b/https.sh index 773a43c..df7d89d 100755 --- a/https.sh +++ b/https.sh @@ -120,10 +120,21 @@ sudo nginx -s stop echo "🚀 使用certbot 自动配置证书" # 从 Nginx 配置文件中提取所有域名 CONF_FILE="${EASYAI_PROXY_CONF:-easyai-proxy.conf}" -DOMAINS=$(grep "server_name" /etc/nginx/conf.d/"$CONF_FILE" 2>/dev/null || find /etc/nginx/conf.d/ -name "easyai-proxy.conf" -exec grep "server_name" {} \; | \ +SERVER_NAME_LINES=$( + if [ -f "/etc/nginx/conf.d/$CONF_FILE" ]; then + grep "server_name" "/etc/nginx/conf.d/$CONF_FILE" 2>/dev/null || true + else + find /etc/nginx/conf.d/ -name "easyai-proxy.conf" -exec grep "server_name" {} \; 2>/dev/null || true + fi +) + +DOMAINS=$(echo "$SERVER_NAME_LINES" | \ grep -v "#" | \ awk '{for(i=2;i<=NF;i++) if($i!=";") print $i}' | \ sed 's/;//g' | \ + sed 's/^[[:space:]]*//;s/[[:space:]]*$//' | \ + grep -E '^[A-Za-z0-9.-]+$' | \ + grep -vE '^(\*|localhost)$' | \ sort -u | \ tr '\n' ' ') @@ -133,9 +144,9 @@ if [ -n "$DOMAINS" ]; then sudo nginx -s stop # 构建域名参数字符串 - DOMAIN_ARGS="" + DOMAIN_ARGS=() for domain in $DOMAINS; do - DOMAIN_ARGS="$DOMAIN_ARGS -d $domain" + DOMAIN_ARGS+=("-d" "$domain") done # 使用 certbot --nginx 插件安装证书 @@ -146,7 +157,7 @@ if [ -n "$DOMAINS" ]; then --rsa-key-size 2048 \ --preferred-challenges http \ --force-renewal \ - $DOMAIN_ARGS + "${DOMAIN_ARGS[@]}" # 启动 Nginx 服务 echo "启动 Nginx 服务..." diff --git a/start.sh b/start.sh index 6927801..c920d68 100755 --- a/start.sh +++ b/start.sh @@ -28,6 +28,33 @@ DEPLOY_IP="" DEPLOY_DOMAIN="" DEPLOY_HTTPS=false +sanitize_domain() { + local domain="$1" + domain="${domain#http://}" + domain="${domain#https://}" + domain="${domain%%/*}" + domain="${domain%;}" + echo "$domain" +} + +validate_domain() { + local domain="$1" + # 基础域名校验:仅允许字母、数字、连字符和点;必须包含至少一个点;不能以点或连字符开头结尾 + if [[ ! "$domain" =~ ^[A-Za-z0-9.-]+$ ]]; then + return 1 + fi + if [[ "$domain" != *.* ]]; then + return 1 + fi + if [[ "$domain" =~ ^[.-] || "$domain" =~ [.-]$ ]]; then + return 1 + fi + if [[ "$domain" == *".."* ]]; then + return 1 + fi + return 0 +} + prompt_or_env() { local var_name=$1 local prompt_text=$2 @@ -63,6 +90,11 @@ run_deploy_questions() { return fi if [ "$DEPLOY_ACCESS" = "domain" ] && [ -n "$DEPLOY_DOMAIN" ]; then + DEPLOY_DOMAIN="$(sanitize_domain "$DEPLOY_DOMAIN")" + if ! validate_domain "$DEPLOY_DOMAIN"; then + echo "❌ 环境变量 DEPLOY_DOMAIN 格式不合法: ${DEPLOY_DOMAIN}" + exit 1 + fi DEPLOY_MODE="domain" DEPLOY_HTTPS="${DEPLOY_HTTPS_INPUT:-false}" echo "使用环境变量: 域名模式, 域名=$DEPLOY_DOMAIN" @@ -96,10 +128,16 @@ run_deploy_questions() { else # 3. 输入域名 prompt_or_env DEPLOY_DOMAIN "3. 请输入域名(不含 https:// 前缀,如 51easyai.com)" "DEPLOY_DOMAIN" "" + DEPLOY_DOMAIN="$(sanitize_domain "$DEPLOY_DOMAIN")" if [ -z "$DEPLOY_DOMAIN" ]; then echo "❌ 域名不能为空" exit 1 fi + if ! validate_domain "$DEPLOY_DOMAIN"; then + echo "❌ 域名格式不合法: ${DEPLOY_DOMAIN}" + echo " 请输入类似 51easyai.com 的域名,不要包含协议、路径或分号" + exit 1 + fi # 3.1 是否启用 HTTPS if [ -n "$DEPLOY_HTTPS_INPUT" ]; then