diff --git a/internal/controllers/admin/setting/adminSystemController.go b/internal/controllers/admin/setting/adminSystemController.go
index 7b84e56..c2d8e3b 100644
--- a/internal/controllers/admin/setting/adminSystemController.go
+++ b/internal/controllers/admin/setting/adminSystemController.go
@@ -20,6 +20,7 @@ import (
"github.com/gphper/ginadmin/internal/controllers/admin"
"github.com/gphper/ginadmin/internal/redis"
"github.com/gphper/ginadmin/pkg/loggers"
+ "github.com/gphper/ginadmin/pkg/utils/filesystem"
gstrings "github.com/gphper/ginadmin/pkg/utils/strings"
"github.com/gin-gonic/gin"
@@ -80,7 +81,11 @@ func (con adminSystemController) GetDir(c *gin.Context) {
)
fileSlice = make([]FileNode, 0)
- path = gstrings.JoinStr(configs.RootPath, c.Query("path"))
+ path, err = filesystem.FilterPath(configs.RootPath+"logs", c.Query("path"))
+ if err != nil {
+ con.Error(c, err.Error())
+ return
+ }
files, err = ioutil.ReadDir(path)
if err != nil {
@@ -132,7 +137,12 @@ func (con adminSystemController) View(c *gin.Context) {
}
var filecontents []string
- filePath := gstrings.JoinStr(configs.RootPath, c.Query("path"))
+ filePath, err := filesystem.FilterPath(configs.RootPath+"logs", c.Query("path"))
+ if err != nil {
+ con.ErrorHtml(c, err)
+ return
+ }
+
fi, err := os.Open(filePath)
if err != nil {
con.ErrorHtml(c, err)
diff --git a/pkg/utils/filesystem/filesystem.go b/pkg/utils/filesystem/filesystem.go
index 7a8b9f3..2cead86 100644
--- a/pkg/utils/filesystem/filesystem.go
+++ b/pkg/utils/filesystem/filesystem.go
@@ -6,6 +6,8 @@
package filesystem
import (
+ "errors"
+ "fmt"
"io/fs"
"log"
"os"
@@ -89,15 +91,23 @@ func OpenFile(filepath string) (file *os.File, err error) {
}
/**
-* 组装字符串
+* 过滤非法访问的路径
*/
-func JoinStr(items ...interface{}) string {
- if len(items) == 0 {
- return ""
+func FilterPath(root, path string) (string, error) {
+
+ newPath := fmt.Sprintf("%s%s", root, path)
+ absPath, err := filepath.Abs(newPath)
+ if err != nil {
+ return "", err
}
- var builder strings.Builder
- for _, v := range items {
- builder.WriteString(v.(string))
+
+ absPath = filepath.FromSlash(absPath)
+ ifOver := filepath.HasPrefix(absPath, filepath.FromSlash(root))
+ fmt.Println(absPath)
+ fmt.Println(filepath.FromSlash(root))
+ if !ifOver {
+ return "", errors.New("access to the path is prohibited")
}
- return builder.String()
+
+ return absPath, nil
}
diff --git a/web/views/template/setting/systemlog.html b/web/views/template/setting/systemlog.html
index 6edec5d..c0c8857 100644
--- a/web/views/template/setting/systemlog.html
+++ b/web/views/template/setting/systemlog.html
@@ -30,7 +30,7 @@
{{ .Name}}
展开
-
+
{{end}}