[HOTFIX] Prevent path directory traversal attack for deploy
This commit is contained in:
parent
76550be9e7
commit
15616e05f3
|
@ -16,6 +16,7 @@ import org.springframework.web.bind.annotation.*;
|
|||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
import javax.servlet.http.HttpSession;
|
||||
import java.io.File;
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
|
@ -102,9 +103,14 @@ public class ShopArticleController {
|
|||
Article article = articleRepository.findArticleById(id);
|
||||
|
||||
if(article.image != null) {
|
||||
InputStream in = new FileInputStream(article.image.path);
|
||||
File file = new File(article.image.path);
|
||||
if (file.getCanonicalPath().startsWith("./data/img/")) {
|
||||
InputStream in = new FileInputStream(file);
|
||||
response.setContentType(MediaType.IMAGE_JPEG_VALUE);
|
||||
IOUtils.copy(in, response.getOutputStream());
|
||||
} else {
|
||||
throw new RuntimeException("Got illegal file path. DB was modified.");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
Reference in New Issue