mirror of
https://github.com/Grasscutters/Grasscutter.git
synced 2024-11-30 07:40:47 +00:00
[Security][Bugfix] Fix directory traversal exploit (#1907)
* [Security][Bugfix] Fix directory traversal exploit 1.The first slash will act as root path when resolving local path, so directory traversal is possible 2.Filter the illegal payload to prevent directory traversal 3.This also fix the bug about not loading the files in data folder when querying `/hk4e/announcement/` * Fix formatting * Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
This commit is contained in:
parent
6219902e0f
commit
55928d9154
@ -14,6 +14,7 @@ import static emu.grasscutter.config.Configuration.*;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.Objects;
|
||||
import java.util.StringJoiner;
|
||||
|
||||
/**
|
||||
* Handles requests related to the announcements page.
|
||||
@ -72,7 +73,17 @@ public final class AnnouncementsHandler implements Router {
|
||||
}
|
||||
|
||||
private static void getPageResources(Context ctx) {
|
||||
try (InputStream filestream = DataLoader.load(ctx.path())) {
|
||||
// Re-process the path - remove the first slash and prevent directory traversal
|
||||
// (the first slash will act as root path when resolving local path)
|
||||
String[] path = ctx.path().split("/");
|
||||
StringJoiner stringJoiner = new StringJoiner("/");
|
||||
for (String pathName : path) {
|
||||
// Filter the illegal payload to prevent directory traversal
|
||||
if (!pathName.isEmpty() && !pathName.equals("..") && !pathName.contains("\\")) {
|
||||
stringJoiner.add(pathName);
|
||||
}
|
||||
}
|
||||
try (InputStream filestream = DataLoader.load(stringJoiner.toString())) {
|
||||
String possibleFilename = ctx.path();
|
||||
|
||||
ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1));
|
||||
|
Loading…
Reference in New Issue
Block a user