From eda03f0aa4edcccacbb86dcd5666c3d626a3541b Mon Sep 17 00:00:00 2001
From: lealife <lifephp@gmail.com>
Date: Thu, 27 Oct 2016 15:40:17 +0800
Subject: [PATCH] =?UTF-8?q?=E9=98=B2=E6=AD=A2=E7=94=A8"../../=E6=9D=A5?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E5=85=B6=E5=AE=83=E6=96=87=E4=BB=B6"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/service/ThemeService.go | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/app/service/ThemeService.go b/app/service/ThemeService.go
index 4c72abc..2e40c9c 100644
--- a/app/service/ThemeService.go
+++ b/app/service/ThemeService.go
@@ -264,10 +264,19 @@ func (this *ThemeService) GetDefaultThemes() (themes []info.Theme) {
 	return
 }
 
+
+func validateFilename(filename string) bool {
+	// 防止用"../../来获取其它文件"
+	if (strings.Contains(filename, "..")) {
+		return false
+	}
+	return true
+}
+
+
 // 得到模板内容
 func (this *ThemeService) GetTplContent(userId, themeId, filename string) string {
-	// 防止用"../../来获取其它文件"
-	if (strings.Contains(filename, "../")) {
+	if (!validateFilename(filename)) {
 		return ""
 	}
 	
@@ -295,6 +304,10 @@ func (this *ThemeService) GetThemePath(userId, themeId string) string {
 
 // 更新模板内容
 func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content string) (ok bool, msg string) {
+	if (!validateFilename(filename)) {
+		return 
+	}
+
 	basePath := this.GetThemeAbsolutePath(userId, themeId)
 	path := basePath + "/" + filename
 	if strings.Contains(filename, ".html") {
@@ -331,6 +344,10 @@ func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content st
 }
 
 func (this *ThemeService) DeleteTpl(userId, themeId, filename string) (ok bool) {
+	if (!validateFilename(filename)) {
+		return
+	}
+
 	path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename
 	ok = DeleteFile(path)
 	return