Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: 修复 w_rid 计算漏洞 #301

Merged
merged 3 commits into from
May 24, 2023
Merged

fix: 修复 w_rid 计算漏洞 #301

merged 3 commits into from
May 24, 2023

Conversation

Drelf2018
Copy link
Collaborator

@Drelf2018 Drelf2018 commented May 23, 2023
edited
Loading

  • 还有 mixin_key 可能出现的下标越界
  • wts也要参与计算
  • user.get_user_info() 函数参数修正

是不是所有函数参数都要重写啊晕了

Drelf2018 added 3 commits May 22, 2023 00:43
@Drelf2018
fix: 修复 w_rid 计算漏洞
78de5be 
还有 mixin_key 可能出现的下标越界
@Drelf2018
fix: wts也要参与计算
adfa4f0
@Drelf2018
fix: 修改get_user_info()参数
c22c6fe 
测试过了,这样生成的w_rid是对的。有的函数之前写的时候省略了参数,理论上全部都要改,唉,好大的工作量
@Drelf2018
Copy link
Collaborator Author

考虑写一个根据库中 data 里 json 自动转 python 函数的脚本。

@Drelf2018 Drelf2018 mentioned this pull request May 23, 2023
Closed
@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 23, 2023

只要 wts 和 wrid 就行了,我记得

只是加个排序而已?

@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 23, 2023

不用改参数吧

@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 23, 2023

只要加个 sorted 就可以了吧?

@Drelf2018
Copy link
Collaborator Author

不用改参数吧

例如 get_user_info() 原先代码

params = {"mid": self.__uid}
# 计算结果 {'mid': 434334701, 'wts': 1684894570, 'w_rid': 'd497848c7609eed670d61714b56c853f'}

实际结果
image

修改后

params = {
    "mid": self.__uid,
    "token": "",
    "platform": "web",
    "web_location": 1550101
}
# 计算结果 {'mid': 434334701, 'token': '', 'platform': 'web', 'web_location': 1550101, 'wts': 1684894733, 'w_rid': 'c280cbb87d48901aefa026d5257830c6'}

与实际相符
image

@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 24, 2023

我的意思是不需要token也可以,你试过了吗?我上周试过...

@Drelf2018
Copy link
Collaborator Author

我的意思是不需要token也可以,你试过了吗?我上周试过...

原因是 w_rid 不正确时访问接口概率成功,因为你写了那个 -403 重试才看上去不需要token也可以。实际上会发现成功获取数据前 request 函数被调用了多次。

@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 24, 2023

我的意思是不需要token也可以,你试过了吗?我上周试过...

原因是 w_rid 不正确时访问接口概率成功,因为你写了那个 -403 重试才看上去不需要token也可以。实际上会发现成功获取数据前 request 函数被调用了多次。

这...那你测试没问题就行,我没法验证.jpg

@z0z0r4 z0z0r4 merged commit df46eb7 into Nemo2011:dev May 24, 2023
@Drelf2018
Copy link
Collaborator Author

不一定得按照网页原参数传api的吧

难说,只能保证按照原参数传能获得一样的 w_rid

减少参数获得的 w_rid 能否通过b站验证不知道。

@z0z0r4 z0z0r4 mentioned this pull request May 24, 2023
Closed
@aaa1115910
Copy link

不一定得按照网页原参数传api的吧

难说,只能保证按照原参数传能获得一样的 w_rid

减少参数获得的 w_rid 能否通过b站验证不知道。

我试过增加不存在的参数计算得到的 w_rid 能通过验证

@z0z0r4
Copy link
Collaborator

z0z0r4 commented May 24, 2023

SocialSisterYi/bilibili-API-collect#631 (comment)

不管咋说我合并了,得排序,不用急着去加token参数

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Drelf2018 @z0z0r4 @aaa1115910