feat: v1.9.0 — media download improvements, mobile image fix, website copy fix

Changes:
- fix: website copy button now copies the active tab's command (#24)
- fix: mobile image upload base64 compatibility for Android browsers (#21)
- feat: improve media download delivery (from PR #27 by @papayachat)
  - path security hardening with symlink resolution
  - MEDIA_ALLOWED_DIRS config for custom allowed directories
  - Content-Disposition download mode with UTF-8 filename support
  - MEDIA: path parsing supports filenames with spaces
  - file cards open in download mode
- chore: bump version to v1.9.0
- chore: close resolved issues #7 #8 #19 #22 #23

Author: 1186258278

docs/index.html

@@ -868,7 +868,9 @@ <h3 class="font-bold mb-4" style="color:var(--txt)">飞书交流群</h3>
 
 // ===== 复制代码 =====
 function copyCode(btn){
-  const pre=btn.nextElementSibling;
+  const container=btn.parentElement;
+  const pre=container.querySelector('pre:not(.hidden)');
+  if(!pre)return;
   const text=pre.textContent;
   navigator.clipboard.writeText(text).then(()=>{
     const orig=btn.textContent;

h5/src/markdown.js

@@ -120,7 +120,8 @@ export function renderMarkdown(text) {
 
   let output = result.join('\n')
   // MEDIA: 路径替换为音频/视频/文件播放器
-  output = output.replace(/MEDIA:(\/[^\s<"]+)/g, (_, path) => {
+  output = output.replace(/MEDIA:(\/[^\n<"]+)/g, (_, rawPath) => {
+    const path = rawPath.trim()
     const src = `/media?path=${encodeURIComponent(path)}`
     if (/\.(mp3|wav|ogg|m4a|aac|flac|opus|wma)$/i.test(path)) {
       return `<div class="voice-bubble" data-src="${src}"><span class="voice-icon">&#9654;</span><span class="voice-bar"></span><span class="voice-dur">0″</span></div>`
@@ -131,7 +132,8 @@ export function renderMarkdown(text) {
     const ext = path.split('.').pop().toLowerCase()
     const iconMap = { pdf: '📄', doc: '📝', docx: '📝', txt: '📃', md: '📃', json: '📋', csv: '📊', zip: '📦', rar: '📦' }
     const icon = iconMap[ext] || '📎'
-    return `<div class="msg-file-card" onclick="window.open('${src}','_blank')"><span class="msg-file-icon">${icon}</span><div class="msg-file-info"><span class="msg-file-name">${fileName}</span></div></div>`
+    const dlSrc = `${src}&download=1`
+    return `<div class="msg-file-card" onclick="window.open('${dlSrc}','_blank')"><span class="msg-file-icon">${icon}</span><div class="msg-file-info"><span class="msg-file-name">${fileName}</span></div></div>`
   })
   return output
 }

h5/src/media.js

@@ -143,10 +143,12 @@ function renderPreviews() {
 /** 构建附件数组（发送给 Gateway） */
 export function getAttachments() {
   return _attachments.map(a => {
-    const match = /^data:([^;]+);base64,(.+)$/.exec(a.data)
+    // 兼容移动端浏览器：data URL 可能包含额外参数如 charset=utf-8
+    const match = /^data:([^;,]+)(?:;[^,]*)*;base64,(.+)$/s.exec(a.data)
     if (!match) return null
     const mimeType = match[1]
-    const content = match[2]
+    // 移动端浏览器可能在 base64 中混入换行/空格，需清理
+    const content = match[2].replace(/[\s\r\n]/g, '')
     const cat = a.category || mediaCategory(mimeType)
     // Gateway 目前只处理 image/* 附件，但我们仍然发送完整信息以便未来兼容
     return { type: cat, mimeType, content, fileName: a.name }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawapp",
-  "version": "1.8.0",
+  "version": "1.9.0",
   "private": true,
   "description": "ClawApp - OpenClaw AI 智能体的 H5 移动端聊天客户端",
   "homepage": "https://clawapp.qt.cool",

server/.env.example

@@ -14,5 +14,12 @@ OPENCLAW_GATEWAY_TOKEN=your-gateway-token-here
 # 设置后自动切换为 password 认证，优先级高于 token
 # OPENCLAW_GATEWAY_PASSWORD=your-gateway-password-here
 
+# 允许通过 /media 访问的额外目录（多个用逗号分隔）
+# 默认已允许 /tmp 和 /var/folders
+# MEDIA_ALLOWED_DIRS=~/.openclaw/workspace,/Users/yourname/Downloads
+
+# 设为 1 可允许访问任意路径媒体文件（不推荐公网场景）
+# MEDIA_ALLOW_ALL=0
+
 # 额外允许的 CORS 来源（多个用逗号分隔，用于反向代理/隧道场景）
 # ALLOWED_ORIGINS=https://your-domain.com,https://xxx.trycloudflare.com

server/index.js

@@ -14,9 +14,9 @@ import express from 'express';
 import { createServer } from 'http';
 import { WebSocket } from 'ws';
 import { fileURLToPath } from 'url';
-import { dirname, join } from 'path';
+import { dirname, join, resolve, sep, basename, extname } from 'path';
 import { randomUUID, randomBytes, generateKeyPairSync, createHash, sign as ed25519Sign, createPrivateKey } from 'crypto';
-import { readFileSync, writeFileSync, existsSync, createReadStream, statSync } from 'fs';
+import { readFileSync, writeFileSync, existsSync, createReadStream, statSync, realpathSync } from 'fs';
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -68,13 +68,70 @@ function updateEnvToken(newToken) {
 }
 
 // 配置
+const DEFAULT_MEDIA_ALLOWED_DIRS = ['/tmp', '/var/folders'];
+
+function expandHomePath(value) {
+  const str = String(value || '').trim();
+  if (!str) return '';
+  if (str === '~') return process.env.HOME || str;
+  if (str.startsWith('~/')) return join(process.env.HOME || '', str.slice(2));
+  return str;
+}
+
+function normalizePathForCompare(value, { mustExist = false } = {}) {
+  const expanded = expandHomePath(value);
+  if (!expanded) return '';
+  try {
+    if (existsSync(expanded)) {
+      return realpathSync(expanded);
+    }
+  } catch {}
+  if (mustExist) return '';
+  return resolve(expanded);
+}
+
+function parseAllowedMediaDirs(value) {
+  return String(value || '')
+    .split(',')
+    .map(part => normalizePathForCompare(part))
+    .filter(Boolean);
+}
+
+function isPathInsideDir(targetPath, dirPath) {
+  if (!targetPath || !dirPath) return false;
+  return targetPath === dirPath || targetPath.startsWith(dirPath.endsWith(sep) ? dirPath : `${dirPath}${sep}`);
+}
+
+function buildContentDisposition(filename) {
+  const originalName = String(filename || 'download')
+    .replace(/[\r\n"]/g, '_')
+    .trim() || 'download';
+  const extension = extname(originalName);
+  const baseName = originalName.slice(0, originalName.length - extension.length) || 'download';
+  const asciiBaseName = baseName
+    .normalize('NFKD')
+    .replace(/[^\x20-\x7E]+/g, '_')
+    .replace(/[%;\\]/g, '_')
+    .trim() || 'download';
+  const asciiExtension = extension
+    .normalize('NFKD')
+    .replace(/[^\x20-\x7E]+/g, '')
+    .replace(/[%;\\]/g, '') || '';
+  const fallbackName = `${asciiBaseName}${asciiExtension}` || 'download';
+  return `attachment; filename="${fallbackName}"; filename*=UTF-8''${encodeURIComponent(originalName)}`;
+}
+
 const CONFIG = {
   port: parseInt(process.env.PROXY_PORT, 10) || 3210,
   proxyToken: process.env.PROXY_TOKEN || '',
   gatewayUrl: process.env.OPENCLAW_GATEWAY_URL || 'ws://127.0.0.1:18789',
   gatewayToken: process.env.OPENCLAW_GATEWAY_TOKEN || '',
   gatewayPassword: process.env.OPENCLAW_GATEWAY_PASSWORD || '',
   mediaAllowAll: process.env.MEDIA_ALLOW_ALL === '1',
+  mediaAllowedDirs: [
+    ...DEFAULT_MEDIA_ALLOWED_DIRS.map(dir => normalizePathForCompare(dir, { mustExist: false })),
+    ...parseAllowedMediaDirs(process.env.MEDIA_ALLOWED_DIRS),
+  ],
   h5DistPath: join(__dirname, '../h5/dist'),
 };
 
@@ -753,9 +810,13 @@ app.get('/health', (req, res) => {
 app.get('/media', (req, res) => {
   const filePath = req.query.path;
   if (!filePath || !existsSync(filePath)) return res.status(404).send('Not Found');
-  if (!CONFIG.mediaAllowAll && !filePath.startsWith('/tmp/') && !filePath.startsWith('/var/folders/')) return res.status(403).send('Forbidden');
-  const stat = statSync(filePath);
-  const ext = filePath.split('.').pop().toLowerCase();
+  const resolvedFilePath = normalizePathForCompare(filePath, { mustExist: true });
+  if (!resolvedFilePath) return res.status(404).send('Not Found');
+  if (!CONFIG.mediaAllowAll && !CONFIG.mediaAllowedDirs.some(dir => isPathInsideDir(resolvedFilePath, dir))) {
+    return res.status(403).send('Forbidden');
+  }
+  const stat = statSync(resolvedFilePath);
+  const ext = resolvedFilePath.split('.').pop().toLowerCase();
   const mime = {
     // 音频
     mp3: 'audio/mpeg', wav: 'audio/wav', ogg: 'audio/ogg', m4a: 'audio/mp4',
@@ -774,8 +835,16 @@ app.get('/media', (req, res) => {
     zip: 'application/zip', rar: 'application/x-rar-compressed',
     '7z': 'application/x-7z-compressed', tar: 'application/x-tar', gz: 'application/gzip',
   }[ext] || 'application/octet-stream';
-  res.set({ 'Content-Type': mime, 'Content-Length': stat.size, 'Cache-Control': 'public, max-age=3600' });
-  createReadStream(filePath).pipe(res);
+  const headers = {
+    'Content-Type': mime,
+    'Content-Length': stat.size,
+    'Cache-Control': 'public, max-age=3600',
+  };
+  if (req.query.download === '1') {
+    headers['Content-Disposition'] = buildContentDisposition(basename(resolvedFilePath));
+  }
+  res.set(headers);
+  createReadStream(resolvedFilePath).pipe(res);
 });
 
 // ==================== API 路由 ====================
@@ -1164,6 +1233,11 @@ const server = createServer(app);
 server.listen(CONFIG.port, () => {
   log.info(`代理服务端已启动: http://0.0.0.0:${CONFIG.port}`);
   log.info(`架构: 手机 ←SSE+POST→ 代理服务端 ←WS→ Gateway(${CONFIG.gatewayUrl})`);
+  if (CONFIG.mediaAllowAll) {
+    log.warn('媒体文件访问已全开放 (MEDIA_ALLOW_ALL=1)');
+  } else {
+    log.info(`媒体文件允许目录: ${CONFIG.mediaAllowedDirs.join(', ')}`);
+  }
   if (_isFirstRun) {
     log.info('首次运行，请在浏览器中打开上述地址设置连接密码');
   } else if (CONFIG.proxyToken) {