修复任意文件上传和下载漏洞

2024-04-10 10:10:26 +08:00 · 2024-04-10 10:10:26 +08:00 · 0a610e8178
parent ddc500294b
commit 0a610e8178
1 changed files with 1 additions and 0 deletions
--- a/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
+++ b/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
@ -1244,6 +1244,7 @@ public class SystemController extends BaseController {
 		try {
 			String localPath=ResourceUtil.getConfigByName("webUploadpath");
 			String imgurl = localPath+File.separator+dbpath;
+			imgurl = imgurl.replace("..", "").replace("../", "");
 			inputStream = new BufferedInputStream(new FileInputStream(imgurl));
 			outputStream = response.getOutputStream();
 			byte[] buf = new byte[1024];