合并拉取请求 #526

fix: 修复目录穿越问题
zfile-dev · May 27, 2023 · 72a627b · 72a627b
2 parents 0344f68 + 6aefc10
commit 72a627b
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java b/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
@@ -257,7 +257,7 @@ private FileItemResult fileToFileItem(File file, String folderPath) {
  private static void checkPathSecurity(String... paths) {
  for (String path : paths) {
  // 路径中不能包含 .. 不然可能会获取到上层文件夹的内容
- if (StrUtil.containsAny(path, "../", "..\\")) {
+ if (StrUtil.startWith(path, "/..") || StrUtil.containsAny(path, "../", "..\\")) {
  throw new IllegalArgumentException("文件路径存在安全隐患: " + path);
  }
  }