From 6a065114053d5fd094bd79eaa51ffddc57a21c19 Mon Sep 17 00:00:00 2001
From: lealife <lifephp@gmail.com>
Date: Thu, 27 Oct 2016 15:09:10 +0800
Subject: [PATCH] =?UTF-8?q?=E9=98=B2=E6=AD=A2=E7=94=A8"../../=E6=9D=A5?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E5=85=B6=E5=AE=83=E6=96=87=E4=BB=B6"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/service/ThemeService.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/app/service/ThemeService.go b/app/service/ThemeService.go
index 92c693f..4c72abc 100644
--- a/app/service/ThemeService.go
+++ b/app/service/ThemeService.go
@@ -266,6 +266,11 @@ func (this *ThemeService) GetDefaultThemes() (themes []info.Theme) {
 
 // 得到模板内容
 func (this *ThemeService) GetTplContent(userId, themeId, filename string) string {
+	// 防止用"../../来获取其它文件"
+	if (strings.Contains(filename, "../")) {
+		return ""
+	}
+	
 	path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename
 	return GetFileStrContent(path)
 }