Closed thiscodecc closed 5 years ago
1.任意文件删除 代码 app\modules\polygon\controllers\ProblemController 89行到113行
public function actionDeletefile($id, $name) { $model = $this->findModel($id); if ($name == 'in') { $files = $model->getDataFiles(); foreach ($files as $file) { if (strpos($file['name'], '.in')) { @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']); } } } else if ($name == 'out') { $files = $model->getDataFiles(); foreach ($files as $file) { if (strpos($file['name'], '.out')) { @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']); } if (strpos($file['name'], '.ans')) { @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']); } } } else { @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name); } return $this->redirect(['test-data', 'id' => $model->id]); }
unlink的时候没有对传入的文件做校验,可以导致任意文件删除,请求url http://127.0.0.1/jnoj/web/polygon/problem/deletefile?id=1&name=../../../../jnoj/composer.lock
2.任意文件读取
代码 app\modules\polygon\controllers\ProblemController 115行到121行
public function actionViewfile($id, $name) { $model = $this->findModel($id); echo '<pre>'; echo file_get_contents(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name); echo '</pre>'; }
请求url http://127.0.0.1/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd
修复建议:对传入的文件名称做校验.
ok,感谢反馈
shi-yang
commented
5 years ago shi-yang
commented
5 years ago
1.任意文件删除 代码 app\modules\polygon\controllers\ProblemController 89行到113行
unlink的时候没有对传入的文件做校验,可以导致任意文件删除,请求url http://127.0.0.1/jnoj/web/polygon/problem/deletefile?id=1&name=../../../../jnoj/composer.lock
2.任意文件读取
代码 app\modules\polygon\controllers\ProblemController 115行到121行
请求url http://127.0.0.1/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd
修复建议:对传入的文件名称做校验.