7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

修复上传文件漏洞

This commit is contained in:
bjdgyc 2023-08-08 15:17:05 +08:00
parent c23b120e90
commit 28ffda2371
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
server/admin/api_uploaduser.go
View File

@ -5,11 +5,11 @@ import (
"io" "io"
"net/http" "net/http"
"os" "os"
"path"
"strconv" "strconv"
"strings" "strings"
"time" "time"
"github.com/bjdgyc/anylink/base"
"github.com/bjdgyc/anylink/dbdata" "github.com/bjdgyc/anylink/dbdata"
"github.com/bjdgyc/anylink/pkg/utils" "github.com/bjdgyc/anylink/pkg/utils"
mapset "github.com/deckarep/golang-set" mapset "github.com/deckarep/golang-set"
@ -25,21 +25,27 @@ func UserUpload(w http.ResponseWriter, r *http.Request) {
return return
} }
defer file.Close() defer file.Close()
newFile, err := os.Create(base.Cfg.FilesPath + header.Filename)
// go/path-injection
// base.Cfg.FilesPath 可以直接对外访问,不能上传文件到此
fileName := path.Join(os.TempDir(), utils.RandomRunes(10))
newFile, err := os.Create(fileName)
if err != nil { if err != nil {
RespError(w, RespInternalErr, "创建文件失败:", err) RespError(w, RespInternalErr, "创建文件失败:", err)
return return
} }
defer newFile.Close() defer newFile.Close()
io.Copy(newFile, file) io.Copy(newFile, file)
if err = UploadUser(newFile.Name()); err != nil { if err = UploadUser(newFile.Name()); err != nil {
RespError(w, RespInternalErr, err) RespError(w, RespInternalErr, err)
os.Remove(base.Cfg.FilesPath + header.Filename) os.Remove(fileName)
return return
} }
os.Remove(base.Cfg.FilesPath + header.Filename) os.Remove(fileName)
RespSucess(w, "批量添加成功") RespSucess(w, "批量添加成功")
} }
func UploadUser(file string) error { func UploadUser(file string) error {
f, err := excelize.OpenFile(file) f, err := excelize.OpenFile(file)
if err != nil { if err != nil {