Closed 596192804 closed 2 months ago
@596192804 thanks for sharing! Is there a way to solve the issue with pathlib?
I just tested it and found that pathlib also has similar rules.
ahaha, amazing, so easy!
We need to fix this asap
@596192804 fixed in #402 . And again thanks for posting this issue!
Currently, there is a file leakage vulnerability on the server. For instance, when I access http://127.0.0.1:8008//etc/passwd, I can view the contents of the /etc/passwd file. The root cause lies in the execution of os.path.join(path1, path2), where if path2 is an absolute path, path1 will be ignored.