Merge remote-tracking branch 'upstream/main'

Author: LazuliKao

.github/ISSUE_TEMPLATE/00-bug_report_zh.yml

@@ -13,7 +13,7 @@ body:
     attributes:
       label: 请确认以下事项
       description: |
-        您必须确认、同意并勾选以下内容，否则您的问题一定会被直接关闭。
+        您必须阅读并检查以下内容，否则您的问题一定会被直接关闭。
         或者您可以去[讨论区](https://github.com/OpenListTeam/OpenList/discussions)。
       options:
         - label: |
@@ -34,6 +34,8 @@ body:
             我认为此问题必须由`OpenList`处理，而非第三方。
         - label: |
             我已确认这个问题在最新版本中没有被修复。
+        - label: |
+            我没有阅读这个清单，只是闭眼选中了所有的复选框，请关闭这个 Issue
 
   - type: input
     id: version

.github/ISSUE_TEMPLATE/01-bug_report_en.yml

@@ -13,7 +13,7 @@ body:
     attributes:
       label: Please confirm the following
       description: |
-        You must confirm, agree, and check all the following, otherwise your issue will definitely be closed directly.
+        You must read and check all the following, otherwise your issue will definitely be closed directly.
         Or you can go to the [discussions](https://github.com/OpenListTeam/OpenList/discussions).
       options:
         - label: |
@@ -34,6 +34,8 @@ body:
             I believe this issue must be handled by `OpenList` and not by a third party.
         - label: |
             I confirm this issue is not fixed in the latest version.
+        - label: |
+            I have not read these checkboxes and therefore I just ticked them all, Please close this issue
 
   - type: input
     id: version

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,11 +2,13 @@
   Provide a general summary of your changes in the Title above.
   The PR title must start with `feat(): `, `docs(): `, `fix(): `, `style(): `, or `refactor(): `, `chore(): `. For example: `feat(component): add new feature`.
   If it spans multiple components, use the main component as the prefix and enumerate in the title, describe in the body.
+  For breaking changes, add `!` after the type, e.g., `feat(component)!: breaking change`.
 -->
 <!--
   在上方标题中提供您更改的总体摘要。
   PR 标题需以 `feat(): `, `docs(): `, `fix(): `, `style(): `, `refactor(): `, `chore(): ` 其中之一开头，例如：`feat(component): 新增功能`。
   如果跨多个组件，请使用主要组件作为前缀，并在标题中枚举、描述中说明。
+  如果是破坏性变更，请在类型后添加 `!`，例如 `feat(component)!: 破坏性变更`。
 -->
 
 ## Description / 描述

.github/workflows/issue_pr_comment.yml

@@ -20,7 +20,7 @@ jobs:
         with:
           script: |
             const issueBody = context.payload.issue.body || "";
-            const unchecked = /- \[ \] /.test(issueBody);
+            const unchecked = /- \[ \] (?!我没有阅读这个清单|I have not read these checkboxes)/.test(issueBody);
             let comment = "感谢您联系OpenList。我们会尽快回复您。\n";
             comment += "Thanks for contacting OpenList. We will reply to you as soon as possible.\n\n";
             if (unchecked) {
@@ -47,12 +47,14 @@ jobs:
         with:
           script: |
             const title = context.payload.pull_request.title || "";
-            const ok = /^(feat|docs|fix|style|refactor|chore)\(.+?\): /i.test(title);
+            const ok = /^(feat|docs|fix|style|refactor|chore)\(.+?\)!?: /i.test(title);
             if (!ok) {
               let comment = "⚠️ PR 标题需以 `feat(): `, `docs(): `, `fix(): `, `style(): `, `refactor(): `, `chore(): ` 其中之一开头，例如：`feat(component): 新增功能`。\n";
               comment += "⚠️ The PR title must start with `feat(): `, `docs(): `, `fix(): `, `style(): `, or `refactor(): `, `chore(): `. For example: `feat(component): add new feature`.\n\n";
               comment += "如果跨多个组件，请使用主要组件作为前缀，并在标题中枚举、描述中说明。\n";
               comment += "If it spans multiple components, use the main component as the prefix and enumerate in the title, describe in the body.\n\n";
+              comment += "如果是破坏性变更，请在类型后添加 `!`，例如 `feat(component)!: 破坏性变更`。\n";
+              comment += "For breaking changes, add `!` after the type, e.g., `feat(component)!: breaking change`.\n\n";
               await github.rest.issues.createComment({
                 ...context.repo,
                 issue_number: context.issue.number,

SECURITY.md

@@ -0,0 +1,89 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest stable release receives security patches. We strongly recommend always keeping OpenList up to date.
+
+| Version              | Supported          |
+| -------------------- | ------------------ |
+| Latest stable (v4.x) | :white_check_mark: |
+| Older versions       | :x:                |
+
+## Reporting a Vulnerability
+
+**Please do NOT report security vulnerabilities through public GitHub Issues.**
+
+If you discover a security vulnerability in OpenList, please report it responsibly by using one of the following channels:
+
+- **GitHub Private Security Advisory** (preferred): [Submit here](https://github.com/OpenListTeam/OpenList/security/advisories/new)
+- **Telegram**: Contact a maintainer privately via [@OpenListTeam](https://t.me/OpenListTeam)
+
+When reporting, please include as much of the following as possible:
+
+- A description of the vulnerability and its potential impact
+- The affected version(s)
+- Step-by-step instructions to reproduce the issue
+- Any proof-of-concept code or screenshots (if applicable)
+- Suggested mitigation or fix (optional but appreciated)
+
+## Security Best Practices for Users
+
+To keep your OpenList instance secure:
+
+- Always update to the latest release.
+- Use a strong, unique admin password and change it after first login.
+- Enable HTTPS (TLS) for your deployment — do **not** expose OpenList over plain HTTP on the public internet.
+- Limit exposed ports using a reverse proxy (e.g., Nginx, Caddy).
+- Set up access controls and avoid enabling guest access unless necessary.
+- Regularly review mounted storage permissions and revoke unused API tokens.
+- When using Docker, avoid running the container as root if possible.
+
+## Acknowledgments
+
+We sincerely thank all security researchers and community members who responsibly disclose vulnerabilities and help make OpenList safer for everyone.
+
+---
+
+# 安全政策
+
+## 支持的版本
+
+我们仅对最新稳定版本提供安全补丁。强烈建议始终保持 OpenList 为最新版本。
+
+| 版本               | 是否支持           |
+| ------------------ | ------------------ |
+| 最新稳定版（v4.x） | :white_check_mark: |
+| 旧版本             | :x:                |
+
+## 报告漏洞
+
+**请勿通过公开的 GitHub Issues 报告安全漏洞。**
+
+如果您在 OpenList 中发现安全漏洞，请通过以下渠道之一负责任地进行报告：
+
+- **GitHub 私密安全公告**（推荐）：[点击提交](https://github.com/OpenListTeam/OpenList/security/advisories/new)
+- **Telegram**：通过 [@OpenListTeam](https://t.me/OpenListTeam) 私信联系维护者
+
+报告时，请尽量提供以下信息：
+
+- 漏洞描述及其潜在影响
+- 受影响的版本
+- 复现问题的详细步骤
+- 概念验证代码或截图（如有）
+- 建议的缓解措施或修复方案（可选，但非常欢迎）
+
+## 用户安全最佳实践
+
+为保障您的 OpenList 实例安全：
+
+- 始终更新至最新版本。
+- 使用强且唯一的管理员密码，并在首次登录后立即修改。
+- 为您的部署启用 HTTPS（TLS）—— **请勿**在公网上以明文 HTTP 方式暴露 OpenList。
+- 使用反向代理（如 Nginx、Caddy）限制对外暴露的端口。
+- 配置访问控制，非必要情况下不要开启访客访问。
+- 定期检查已挂载存储的权限，并撤销未使用的 API 令牌。
+- 使用 Docker 部署时，尽可能避免以 root 用户运行容器。
+
+## 致谢
+
+我们衷心感谢所有负责任地披露漏洞、帮助 OpenList 变得更加安全的安全研究人员和社区成员。

cmd/lang.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"reflect"
 	"strings"
 
 	_ "github.com/OpenListTeam/OpenList/v4/drivers"
@@ -69,15 +68,33 @@ func writeFile(name string, data interface{}) {
 		log.Errorf("failed to unmarshal json: %+v", err)
 		return
 	}
-	if reflect.DeepEqual(oldData, newData) {
+	if mergeJson(newData, oldData) {
 		log.Infof("%s.json no changed, skip", name)
 	} else {
 		log.Infof("%s.json changed, update file", name)
 		//log.Infof("old: %+v\nnew:%+v", oldData, data)
-		utils.WriteJsonToFile(fmt.Sprintf("lang/%s.json", name), newData, true)
+		utils.WriteJsonToFile(fmt.Sprintf("lang/%s.json", name), oldData, true)
 	}
 }
 
+func mergeJson(source, target map[string]interface{}) bool {
+	equal := true
+	for k, v := range source {
+		tgtV, tgtOk := target[k]
+		if !tgtOk {
+			equal = false
+			target[k] = v
+		} else {
+			srcMap, srcIsMap := v.(map[string]interface{})
+			tgtMap, tgtIsMap := tgtV.(map[string]interface{})
+			if srcIsMap && tgtIsMap {
+				equal = mergeJson(srcMap, tgtMap) && equal
+			}
+		}
+	}
+	return equal
+}
+
 func generateDriversJson() {
 	drivers := make(Drivers)
 	drivers["drivers"] = make(KV[interface{}])

drivers/115/driver.go

@@ -68,8 +68,7 @@ func (d *Pan115) Link(ctx context.Context, file model.Obj, args model.LinkArgs)
 		return nil, err
 	}
 	userAgent := args.Header.Get("User-Agent")
-	downloadInfo, err := d.
-		DownloadWithUA(file.(*FileObj).PickCode, userAgent)
+	downloadInfo, err := d.client.DownloadWithUA(file.(*FileObj).PickCode, userAgent)
 	if err != nil {
 		return nil, err
 	}
@@ -252,8 +251,8 @@ func (d *Pan115) GetDetails(ctx context.Context) (*model.StorageDetails, error)
 	}
 	return &model.StorageDetails{
 		DiskUsage: model.DiskUsage{
-			TotalSpace: uint64(info.SpaceInfo.AllTotal.Size),
-			FreeSpace:  uint64(info.SpaceInfo.AllRemain.Size),
+			TotalSpace: info.SpaceInfo.AllTotal.Size,
+			UsedSpace:  info.SpaceInfo.AllUse.Size,
 		},
 	}, nil
 }

drivers/115/types.go

@@ -22,6 +22,10 @@ func (f *FileObj) GetHash() utils.HashInfo {
 	return utils.NewHashInfo(utils.SHA1, f.Sha1)
 }
 
+func (f *FileObj) Thumb() string {
+	return f.ThumbURL
+}
+
 type UploadResult struct {
 	driver.BasicResp
 	Data struct {

drivers/115/util.go

@@ -9,7 +9,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
@@ -22,11 +21,9 @@ import (
 	"github.com/OpenListTeam/OpenList/v4/internal/model"
 	"github.com/OpenListTeam/OpenList/v4/pkg/http_range"
 	"github.com/OpenListTeam/OpenList/v4/pkg/utils"
-	"github.com/aliyun/aliyun-oss-go-sdk/oss"
-
 	cipher "github.com/SheltonZhu/115driver/pkg/crypto/ec115"
-	crypto "github.com/SheltonZhu/115driver/pkg/crypto/m115"
 	driver115 "github.com/SheltonZhu/115driver/pkg/driver"
+	"github.com/aliyun/aliyun-oss-go-sdk/oss"
 	"github.com/pkg/errors"
 )
 
@@ -108,60 +105,6 @@ func (d *Pan115) getUA() string {
 	return fmt.Sprintf("Mozilla/5.0 115Browser/%s", appVer)
 }
 
-func (d *Pan115) DownloadWithUA(pickCode, ua string) (*driver115.DownloadInfo, error) {
-	key := crypto.GenerateKey()
-	result := driver115.DownloadResp{}
-	params, err := utils.Json.Marshal(map[string]string{"pick_code": pickCode})
-	if err != nil {
-		return nil, err
-	}
-
-	data := crypto.Encode(params, key)
-
-	bodyReader := strings.NewReader(url.Values{"data": []string{data}}.Encode())
-	reqUrl := fmt.Sprintf("%s?t=%s", driver115.AndroidApiDownloadGetUrl, driver115.Now().String())
-	req, _ := http.NewRequest(http.MethodPost, reqUrl, bodyReader)
-	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
-	req.Header.Set("Cookie", d.Cookie)
-	req.Header.Set("User-Agent", ua)
-
-	resp, err := d.client.Client.GetClient().Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return nil, err
-	}
-	if err := utils.Json.Unmarshal(body, &result); err != nil {
-		return nil, err
-	}
-
-	if err = result.Err(string(body)); err != nil {
-		return nil, err
-	}
-
-	b, err := crypto.Decode(string(result.EncodedData), key)
-	if err != nil {
-		return nil, err
-	}
-
-	downloadInfo := struct {
-		Url string `json:"url"`
-	}{}
-	if err := utils.Json.Unmarshal(b, &downloadInfo); err != nil {
-		return nil, err
-	}
-
-	info := &driver115.DownloadInfo{}
-	info.PickCode = pickCode
-	info.Header = resp.Request.Header
-	info.Url.Url = downloadInfo.Url
-	return info, nil
-}
-
 func (c *Pan115) GenerateToken(fileID, preID, timeStamp, fileSize, signKey, signVal string) string {
 	userID := strconv.FormatInt(c.client.UserID, 10)
 	userIDMd5 := md5.Sum([]byte(userID))
@@ -309,7 +252,8 @@ func (c *Pan115) UploadByOSS(ctx context.Context, params *driver115.UploadOSSPar
 
 // UploadByMultipart upload by mutipart blocks
 func (d *Pan115) UploadByMultipart(ctx context.Context, params *driver115.UploadOSSParams, fileSize int64, s model.FileStreamer,
-	dirID string, up driver.UpdateProgress, opts ...driver115.UploadMultipartOption) (*UploadResult, error) {
+	dirID string, up driver.UpdateProgress, opts ...driver115.UploadMultipartOption,
+) (*UploadResult, error) {
 	var (
 		chunks    []oss.FileChunk
 		parts     []oss.UploadPart

drivers/115_open/driver.go

@@ -176,7 +176,7 @@ func (d *Open115) Rename(ctx context.Context, srcObj model.Obj, newName string)
 	}
 	_, err := d.client.UpdateFile(ctx, &sdk.UpdateFileReq{
 		FileID:  srcObj.GetID(),
-		FileNma: newName,
+		FileName: newName,
 	})
 	if err != nil {
 		return nil, err
@@ -331,18 +331,18 @@ func (d *Open115) GetDetails(ctx context.Context) (*model.StorageDetails, error)
 	if err != nil {
 		return nil, err
 	}
-	total, err := userInfo.RtSpaceInfo.AllTotal.Size.Int64()
+	total, err := ParseInt64(userInfo.RtSpaceInfo.AllTotal.Size)
 	if err != nil {
 		return nil, err
 	}
-	free, err := userInfo.RtSpaceInfo.AllRemain.Size.Int64()
+	used, err := ParseInt64(userInfo.RtSpaceInfo.AllUse.Size)
 	if err != nil {
 		return nil, err
 	}
 	return &model.StorageDetails{
 		DiskUsage: model.DiskUsage{
-			TotalSpace: uint64(total),
-			FreeSpace:  uint64(free),
+			TotalSpace: total,
+			UsedSpace:  used,
 		},
 	}, nil
 }