From 6aefc107e795f4c89aa13034b131131e848ef7a1 Mon Sep 17 00:00:00 2001
From: lxh <lxh>
Date: Sun, 23 Apr 2023 16:59:11 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=9B=AE=E5=BD=95?=
 =?UTF-8?q?=E7=A9=BF=E8=B6=8A=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../zfile/module/storage/service/impl/LocalServiceImpl.java     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java b/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
index 1872549..5dd03c8 100644
--- a/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
+++ b/src/main/java/im/zhaojun/zfile/module/storage/service/impl/LocalServiceImpl.java
@@ -257,7 +257,7 @@ public class LocalServiceImpl extends AbstractProxyTransferService<LocalParam> {
     private static void checkPathSecurity(String... paths) {
         for (String path : paths) {
             // 路径中不能包含 .. 不然可能会获取到上层文件夹的内容
-            if (StrUtil.containsAny(path, "../", "..\\")) {
+            if (StrUtil.startWith(path, "/..") || StrUtil.containsAny(path, "../", "..\\")) {
                 throw new IllegalArgumentException("文件路径存在安全隐患: " + path);
             }
         }