From 4d0462570080b1e347f9e6dc1910893e4412e2cf Mon Sep 17 00:00:00 2001
From: erzhongxmu <erzhongxmu@hotmail.com>
Date: Wed, 10 Apr 2024 10:11:00 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=BB=BB=E6=84=8F=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E4=B8=8A=E4=BC=A0=E5=92=8C=E4=B8=8B=E8=BD=BD=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../web/system/controller/core/SystemController.java          | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java b/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
index e8a5e8b3..4181235a 100644
--- a/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
+++ b/src/main/java/org/jeecgframework/web/system/controller/core/SystemController.java
@@ -1195,7 +1195,9 @@ public class SystemController extends BaseController {
 	        }else if("1".equals(delFlag)){
 	        	String path=request.getParameter("path");
 	        	String delpath=ctxPath+File.separator+path;
-	        	File fileDelete = new File(delpath);
+				delpath = delpath.replace("..", "").replace("../", "");
+
+				File fileDelete = new File(delpath);
 	    		if (!fileDelete.exists() || !fileDelete.isFile()) {
 	    			msg="警告: " + delpath + "不存在!";
 	    			j.setSuccess(true);//不存在前台也给他删除