防止Unzip文件恶意攻击

app/lea/Debug.go

@@ -1,26 +1,34 @@
 package lea
 
 import (
-	"encoding/json"
+    "encoding/json"
-	"fmt"
+    "fmt"
-	"github.com/revel/revel"
+    "github.com/revel/revel"
 )
 
-func Log(i interface{}) {
+func Log(i ...interface{}) {
-	revel.INFO.Println(i)
+    revel.INFO.Println(i...)
+}
+
+func LogW(i ...interface{}) {
+    revel.WARN.Println(i...)
+}
+
+func Log1(key, i interface{}) {
+    revel.INFO.Println(key, i)
 }
 
 func LogJ(i interface{}) {
-	b, _ := json.MarshalIndent(i, "", "	")
+    b, _ := json.MarshalIndent(i, "", " ")
-	revel.INFO.Println(string(b))
+    revel.INFO.Println(string(b))
 }
 
 // 为test用
 func L(i interface{}) {
-	fmt.Println(i)
+    fmt.Println(i)
 }
 
 func LJ(i interface{}) {
-	b, _ := json.MarshalIndent(i, "", "	")
+    b, _ := json.MarshalIndent(i, "", " ")
-	fmt.Println(string(b))
+    fmt.Println(string(b))
 }

app/lea/archive/zip.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"path"
 	"strings"
+	"github.com/leanote/leanote/app/lea"
 )
 
 // main functions shows how to TarGz a directory/file and
@@ -144,12 +145,18 @@ func Unzip(srcFilePath string, destDirPath string) (ok bool, msg string) {
 	}
 	defer r.Close()
 	for _, f := range r.File {
-		//		fmt.Println("FileName : ", f.Name); // j/aaa.zip
+		// fmt.Println("FileName : ", f.Name); // j/aaa.zip
 		rc, err := f.Open()
 		if err != nil {
 			panic(err)
 		}
 
+		// 包含恶意目录
+		if strings.Contains(f.Name, "../") {
+			lea.LogW("恶意文件", f.Name);
+			continue
+		}
+
 		// 把首文件夹去掉, 即j去掉, 分离出文件夹和文件名
 		paths := strings.Split(f.Name, "/")
 		prePath := ""