实现文件/文件夹删除功能

对传入参数存在的安全问题进行检查
This commit is contained in:
Chenx221 2024-02-12 13:02:28 +08:00
parent b4b45b3c6b
commit 69b8c80543
Signed by: chenx221
GPG Key ID: D7A9EC07024C3021

View File

@ -114,7 +114,7 @@ class HomeController extends Controller
$relativePath = rawurldecode($relativePath); $relativePath = rawurldecode($relativePath);
// 检查相对路径是否只包含允许的字符 // 检查相对路径是否只包含允许的字符
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) { if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
throw new NotFoundHttpException('Invalid file path.'); throw new NotFoundHttpException('Invalid file path.');
} }
@ -151,7 +151,7 @@ class HomeController extends Controller
$relativePath = rawurldecode($relativePath); $relativePath = rawurldecode($relativePath);
// 检查相对路径是否只包含允许的字符 // 检查相对路径是否只包含允许的字符
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) { if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
throw new NotFoundHttpException('Invalid file path.'); throw new NotFoundHttpException('Invalid file path.');
} }
@ -195,7 +195,7 @@ class HomeController extends Controller
{ {
$relativePath = Yii::$app->request->post('relativePath'); $relativePath = Yii::$app->request->post('relativePath');
$relativePath = rawurldecode($relativePath); $relativePath = rawurldecode($relativePath);
if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath)) { if (!preg_match('/^[\w\-.\/\s]+$/u', $relativePath) || $relativePath === '.' || $relativePath === '..' || str_contains($relativePath, '../')) {
throw new NotFoundHttpException('Invalid file path.'); throw new NotFoundHttpException('Invalid file path.');
} }
$absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id . '/' . $relativePath; $absolutePath = Yii::getAlias(Yii::$app->params['dataDirectory']) . '/' . Yii::$app->user->id . '/' . $relativePath;