防止Unzip文件恶意攻击

2016-10-27 16:37:12 +08:00
parent eda03f0aa4
commit 816af11db2
2 changed files with 26 additions and 11 deletions
--- a/app/lea/archive/zip.go
+++ b/app/lea/archive/zip.go
@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"github.com/leanote/leanote/app/lea"
 )

 // main functions shows how to TarGz a directory/file and
@ -144,12 +145,18 @@ func Unzip(srcFilePath string, destDirPath string) (ok bool, msg string) {
 	}
 	defer r.Close()
 	for _, f := range r.File {
-		//		fmt.Println("FileName : ", f.Name); // j/aaa.zip
+		// fmt.Println("FileName : ", f.Name); // j/aaa.zip
 		rc, err := f.Open()
 		if err != nil {
 			panic(err)
 		}

+		// 包含恶意目录
+		if strings.Contains(f.Name, "../") {
+			lea.LogW("恶意文件", f.Name);
+			continue
+		}
+
 		// 把首文件夹去掉, 即j去掉, 分离出文件夹和文件名
 		paths := strings.Split(f.Name, "/")
 		prePath := ""