合并拉取请求 #526

fix: 修复目录穿越问题
2025-04-19 05:34:52 +00:00 · 2023-05-27 16:00:22 +08:00
parent 0344f687b6 6aefc107e7
commit 72a627be74
1 changed files with 1 additions and 1 deletions
--- a/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
+++ b/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
@@ -257,7 +257,7 @@ public class LocalServiceImpl extends AbstractProxyTransferService<LocalParam> {
    private static void checkPathSecurity(String... paths) {
        for (String path : paths) {
            // 路径中不能包含 .. 不然可能会获取到上层文件夹的内容
-            if (StrUtil.containsAny(path, "../", "..\\")) {
+            if (StrUtil.startWith(path, "/..") || StrUtil.containsAny(path, "../", "..\\")) {
                throw new IllegalArgumentException("文件路径存在安全隐患: " + path);
            }
        }