New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[漏洞]开启local或local-plus 并启用 enable-access 后,通过特定url能够下载机器的所有文件 #78
Comments
此功能是通过以下方式实现的,可以通过过滤器进行拦截,或者使用其它方式实现文件访问,例如Nginx public class FileStorageAutoConfiguration implements WebMvcConfigurer {
/**
* 配置本地存储的访问地址
*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
for (FileStorageProperties.Local local : properties.getLocal()) {
if (local.getEnableAccess()) {
registry.addResourceHandler(local.getPathPatterns()).addResourceLocations("file:" + local.getBasePath());
}
}
for (FileStorageProperties.LocalPlus local : properties.getLocalPlus()) {
if (local.getEnableAccess()) {
registry.addResourceHandler(local.getPathPatterns()).addResourceLocations("file:" + local.getStoragePath());
}
}
}
} |
好的,感谢你的建议,我会在新版本中处理相关问题 |
针对现有版本,可以查看文档,通过切面进行拦截处理 |
由于工作较忙,目前新版本才接近尾声 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
例如 http://127.0.0.1:8080/storage/../xxx,通过".."就定位到储存目录的上一级, 从而直接下载储存目录同级中的xxx文件,通过这样的手段可以实现下载任意目录文件
The text was updated successfully, but these errors were encountered: