The name of the uploaded file is not verified here. Users can construct a cross-directory file name to delete and replace other important files on the server.Do as follows:
1、Use fiddler excute a request, my upload folder is D:/data/test , create a file 123.txt in D:/ , but filename set " /../123.txt "
elunez
commented
1 year ago
https://github.com/elunez/eladmin/blob/f3cdf8ccfced849f902f58ac95c8b0bb48d68cb4/eladmin-system/src/main/java/me/zhengjie/modules/mnt/rest/DeployController.java#L108
The name of the uploaded file is not verified here. Users can construct a cross-directory file name to delete and replace other important files on the server.Do as follows:
1、Use fiddler excute a request, my upload folder is D:/data/test , create a file 123.txt in D:/ , but filename set " /../123.txt "
2、we can see the file d:/123.txt has bean deleted