防止用"../../来获取其它文件"

app/service/ThemeService.go

@@ -264,10 +264,19 @@ func (this *ThemeService) GetDefaultThemes() (themes []info.Theme) {
 	return
 }
 
+
+func validateFilename(filename string) bool {
+	// 防止用"../../来获取其它文件"
+	if (strings.Contains(filename, "..")) {
+		return false
+	}
+	return true
+}
+
+
 // 得到模板内容
 func (this *ThemeService) GetTplContent(userId, themeId, filename string) string {
-	// 防止用"../../来获取其它文件"
+	if (!validateFilename(filename)) {
-	if (strings.Contains(filename, "../")) {
 		return ""
 	}
 	
@@ -295,6 +304,10 @@ func (this *ThemeService) GetThemePath(userId, themeId string) string {
 
 // 更新模板内容
 func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content string) (ok bool, msg string) {
+	if (!validateFilename(filename)) {
+		return 
+	}
+
 	basePath := this.GetThemeAbsolutePath(userId, themeId)
 	path := basePath + "/" + filename
 	if strings.Contains(filename, ".html") {
@@ -331,6 +344,10 @@ func (this *ThemeService) UpdateTplContent(userId, themeId, filename, content st
 }
 
 func (this *ThemeService) DeleteTpl(userId, themeId, filename string) (ok bool) {
+	if (!validateFilename(filename)) {
+		return
+	}
+
 	path := this.GetThemeAbsolutePath(userId, themeId) + "/" + filename
 	ok = DeleteFile(path)
 	return