Conversation
…th64, Accept-Ranges, LimitCount) Agent-Logs-Url: https://github.com/scanfing/HttpFileServer/sessions/b3b57f17-c4ea-472b-bfe9-fa7985832f76 Co-authored-by: scanfing <9262469+scanfing@users.noreply.github.com>
Agent-Logs-Url: https://github.com/scanfing/HttpFileServer/sessions/b3b57f17-c4ea-472b-bfe9-fa7985832f76 Co-authored-by: scanfing <9262469+scanfing@users.noreply.github.com>
… path-injection alert Agent-Logs-Url: https://github.com/scanfing/HttpFileServer/sessions/b3b57f17-c4ea-472b-bfe9-fa7985832f76 Co-authored-by: scanfing <9262469+scanfing@users.noreply.github.com>
…m log message Agent-Logs-Url: https://github.com/scanfing/HttpFileServer/sessions/b3b57f17-c4ea-472b-bfe9-fa7985832f76 Co-authored-by: scanfing <9262469+scanfing@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
scanfing
April 28, 2026 09:43
View session
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Thunder (迅雷) and other multi-threaded download managers send concurrent
Rangerequests per file. All but the first would return 500, because the file was opened withFileShare.None(the implicit default for the 3-argFileStreamconstructor), causing every parallel reader after the first to throwIOException.Root causes fixed
FileShare.None→FileShare.ReadinGetResponseContentTypeAndStream— the primary cause of 500s on concurrent range requestsFileAccessHelper.LimitCount2 → 32 — a limit of 2 concurrent file handles meant Thunder's 8+ worker threads were indefinitely queued; connections would time out before being admittedContent-Lengthon 206 responses —response.ContentLength64 = bytesNeedswas never set inResponseContentPartial, leaving clients unable to know how many bytes to expect per chunkAccept-Ranges: bytesheader — server never advertised range support; added to both full and partial content responsesSecurity fix (incidental)
Path traversal was possible since URL-derived paths were passed directly to
FileStreamwithout containment validation.GetResponseContentTypeAndStreamnow normalizes viaPath.GetFullPathand verifies the resolved path stays withinSourceDirbefore any file I/O.Path.GetFullPathcalls are wrapped in try-catch to handle malformed paths gracefully.