实现文件/文件夹删除功能
对传入参数存在的安全问题进行检查
This commit is contained in:
parent
b4b45b3c6b
commit
69b8c80543
@ -114,7 +114,7 @@ class HomeController extends Controller
|
||||
$relativePath = rawurldecode($relativePath);
|
||||
|
||||
// 检查相对路径是否只包含允许的字符
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
|
||||
throw new NotFoundHttpException('Invalid file path.');
|
||||
}
|
||||
|
||||
@ -151,7 +151,7 @@ class HomeController extends Controller
|
||||
$relativePath = rawurldecode($relativePath);
|
||||
|
||||
// 检查相对路径是否只包含允许的字符
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
|
||||
throw new NotFoundHttpException('Invalid file path.');
|
||||
}
|
||||
|
||||
@ -195,7 +195,7 @@ class HomeController extends Controller
|
||||
{
|
||||
$relativePath = Yii::$app->request->post('relativePath');
|
||||
$relativePath = rawurldecode($relativePath);
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
|
||||
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
|
||||
throw new NotFoundHttpException('Invalid file path.');
|
||||
}
|
||||
$absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id . '/' . $relativePath;
|
||||
|
Loading…
x
Reference in New Issue
Block a user