xuemingqiang/leanote
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

防止用"../../来获取其它文件"

Browse Source
This commit is contained in:
lealife
2016-10-27 15:40:17 +08:00
parent 6a06511405
commit eda03f0aa4
1 changed files with 19 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
app/service/ThemeService.go
View File

@ -264,10 +264,19 @@ func (this *ThemeService) GetDefaultThemes() (themes []info.Theme) {
return
}
func validateFilename(filename string) bool {
// 防止用"../../来获取其它文件"
if (strings.Contains(filename, "..")) {
return false
}
return true
}
// 得到模板内容
func (this *ThemeService) GetTplContent(userId, themeId, filename string) string {
// 防止用"../../来获取其它文件"
if (strings.Contains(filename, "../")) {
if (!validateFilename(filename)) {
return ""
}
@ -295,6 +304,10 @@ func (this *ThemeService) GetThemePath(userId, themeId string) string {
// 更新模板内容
func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content string) (ok bool, msg string) {
if (!validateFilename(filename)) {
return
}
basePath := this.GetThemeAbsolutePath(userId, themeId)
path := basePath + "/" + filename
if strings.Contains(filename, ".html") {
@ -331,6 +344,10 @@ func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content st
}
func (this *ThemeService) DeleteTpl(userId, themeId, filename string) (ok bool) {
if (!validateFilename(filename)) {
return
}
path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename
ok = DeleteFile(path)
return