xuemingqiang/leanote
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

防止用"../../来获取其它文件"

Browse Source
This commit is contained in:
lealife
2016-10-27 15:09:10 +08:00
parent 15d8ebdc0f
commit 6a06511405
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/service/ThemeService.go
View File

@ -266,6 +266,11 @@ func (this *ThemeService) GetDefaultThemes() (themes []info.Theme) {
// 得到模板内容 // 得到模板内容
func (this *ThemeService) GetTplContent(userId, themeId, filename string) string { func (this *ThemeService) GetTplContent(userId, themeId, filename string) string {
// 防止用"../../来获取其它文件"
if (strings.Contains(filename, "../")) {
return ""
}
path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename
return GetFileStrContent(path) return GetFileStrContent(path)
} }