From 69b8c8054361ef9de5d4a684d053ffcd51f3af5d Mon Sep 17 00:00:00 2001
From: Chenx221 <chenx221@yandex.com>
Date: Mon, 12 Feb 2024 13:02:28 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=9E=E7=8E=B0=E6=96=87=E4=BB=B6/=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E5=A4=B9=E5=88=A0=E9=99=A4=E5=8A=9F=E8=83=BD=20?=
 =?UTF-8?q?=E5=AF=B9=E4=BC=A0=E5=85=A5=E5=8F=82=E6=95=B0=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E7=9A=84=E5=AE=89=E5=85=A8=E9=97=AE=E9=A2=98=E8=BF=9B=E8=A1=8C?=
 =?UTF-8?q?=E6=A3=80=E6=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 controllers/HomeController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controllers/HomeController.php b/controllers/HomeController.php
index b558e87..343a78a 100644
--- a/controllers/HomeController.php
+++ b/controllers/HomeController.php
@@ -114,7 +114,7 @@ class HomeController extends Controller
         $relativePath = rawurldecode($relativePath);
 
         // 检查相对路径是否只包含允许的字符
-        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
+        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
             throw new NotFoundHttpException('Invalid file path.');
         }
 
@@ -151,7 +151,7 @@ class HomeController extends Controller
         $relativePath = rawurldecode($relativePath);
 
         // 检查相对路径是否只包含允许的字符
-        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
+        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
             throw new NotFoundHttpException('Invalid file path.');
         }
 
@@ -195,7 +195,7 @@ class HomeController extends Controller
     {
         $relativePath = Yii::$app->request->post('relativePath');
         $relativePath = rawurldecode($relativePath);
-        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) {
+        if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
             throw new NotFoundHttpException('Invalid file path.');
         }
         $absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id . '/' . $relativePath;