github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix vulnerability due to uncheck theme id (#499)

pull/500/head
John Niang 2020-01-16 16:46:16 +08:00 committed by GitHub
parent 23d0a2e01d
commit f4c2ca2f8d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/run/halo/app/utils/FileUtils.java
View File

@ -211,8 +211,11 @@ public class FileUtils {
try (Stream<Path> pathStream = Files.list(unzippedPath)) {
List<Path> childrenPath = pathStream.collect(Collectors.toList());
if (childrenPath.size() == 1 && Files.isDirectory(childrenPath.get(0))) {
return childrenPath.get(0);
Path realPath = childrenPath.get(0);
if (childrenPath.size() == 1 && Files.isDirectory(realPath)) {
// Check directory traversal
checkDirectoryTraversal(unzippedPath, realPath);
return realPath;
}
return unzippedPath;
}