Merge commit from fork

okatu-loli · web-flow · commit 69629ca76a8f · 2026-02-03T23:30:05.000+08:00
fix(tls): harden defaults and warn on insecure mode
diff --git a/drivers/webdav/meta.go b/drivers/webdav/meta.go
@@ -11,7 +11,6 @@ type Addition struct {
 	Username string `json:"username" required:"true"`
 	Password string `json:"password" required:"true"`
 	driver.RootPath
-	TlsInsecureSkipVerify bool `json:"tls_insecure_skip_verify" default:"false"`
 }
 
 var config = driver.Config{
diff --git a/drivers/webdav/util.go b/drivers/webdav/util.go
@@ -6,6 +6,7 @@ import (
 	"net/http/cookiejar"
 
 	"github.com/alist-org/alist/v3/drivers/webdav/odrvcookie"
+	"github.com/alist-org/alist/v3/internal/conf"
 	"github.com/alist-org/alist/v3/internal/model"
 	"github.com/alist-org/alist/v3/pkg/gowebdav"
 )
@@ -20,7 +21,7 @@ func (d *WebDav) setClient() error {
 	c := gowebdav.NewClient(d.Address, d.Username, d.Password)
 	c.SetTransport(&http.Transport{
 		Proxy:           http.ProxyFromEnvironment,
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: d.TlsInsecureSkipVerify},
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: conf.Conf.TlsInsecureSkipVerify},
 	})
 	if d.isSharepoint() {
 		cookie, err := odrvcookie.GetCookie(d.Username, d.Password, d.Address)
diff --git a/internal/bootstrap/config.go b/internal/bootstrap/config.go
@@ -70,6 +70,15 @@ func InitConfig() {
 	if !conf.Conf.Force {
 		confFromEnv()
 	}
+	if conf.Conf.TlsInsecureSkipVerify {
+		log.Warn("SECURITY WARNING / 安全警告:")
+		log.Warn("TLS certificate verification is disabled.")
+		log.Warn("TLS 证书校验已被禁用。")
+		log.Warn("This exposes all storage traffic to MitM attacks and may leak credentials or allow data tampering.")
+		log.Warn("这会使所有存储通信暴露于中间人攻击（MitM），可能导致凭据泄露和数据被篡改。")
+		log.Warn("Only use this setting if you fully understand the risks.")
+		log.Warn("仅在你完全理解风险的情况下使用该配置。")
+	}
 	// convert abs path
 	if !filepath.IsAbs(conf.Conf.TempDir) {
 		absPath, err := filepath.Abs(conf.Conf.TempDir)
diff --git a/internal/conf/config.go b/internal/conf/config.go
@@ -156,7 +156,7 @@ func DefaultConfig() *Config {
 		},
 		MaxConnections:        0,
 		MaxConcurrency:        64,
-		TlsInsecureSkipVerify: true,
+		TlsInsecureSkipVerify: false,
 		Tasks: TasksConfig{
 			Download: TaskConfig{
 				Workers:  5,
diff --git a/server/handles/ldap_login.go b/server/handles/ldap_login.go
@@ -150,7 +150,7 @@ func dial(ldapServer string) (*ldap.Conn, error) {
 	}
 
 	if tlsEnabled {
-		return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: true})
+		return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: conf.Conf.TlsInsecureSkipVerify})
 	} else {
 		return ldap.Dial("tcp", ldapServer)
 	}

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,6 @@ type Addition struct {`
`11`	`11`	Username string `json:"username" required:"true"`
`12`	`12`	Password string `json:"password" required:"true"`
`13`	`13`	`driver.RootPath`
`14`		- TlsInsecureSkipVerify bool `json:"tls_insecure_skip_verify" default:"false"`
`15`	`14`	`}`
`16`	`15`
`17`	`16`	`var config = driver.Config{`
Original file line number	Diff line number	Diff line change
`@@ -150,7 +150,7 @@ func dial(ldapServer string) (*ldap.Conn, error) {`
`150`	`150`	`}`
`151`	`151`
`152`	`152`	`if tlsEnabled {`
`153`		`- return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: true})`
	`153`	`+ return ldap.DialTLS("tcp", ldapServer, &tls.Config{InsecureSkipVerify: conf.Conf.TlsInsecureSkipVerify})`
`154`	`154`	`} else {`
`155`	`155`	`return ldap.Dial("tcp", ldapServer)`
`156`	`156`	`}`