Unverified Commit 55928d91 authored by sandtechnology's avatar sandtechnology Committed by GitHub
Browse files

[Security][Bugfix] Fix directory traversal exploit (#1907)

* [Security][Bugfix] Fix directory traversal exploit

1.The first slash will act as root path when resolving local path, so directory traversal is possible
2.Filter the illegal payload to prevent directory traversal
3.This also fix the bug about not loading the files in data folder when querying  `/hk4e/announcement/`

* Fix formatting

* Update src/main/java/emu/grasscutter/server/http/handlers/AnnouncementsHandler.java
parent 6219902e
...@@ -14,6 +14,7 @@ import static emu.grasscutter.config.Configuration.*; ...@@ -14,6 +14,7 @@ import static emu.grasscutter.config.Configuration.*;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.util.Objects; import java.util.Objects;
import java.util.StringJoiner;
/** /**
* Handles requests related to the announcements page. * Handles requests related to the announcements page.
...@@ -72,7 +73,17 @@ public final class AnnouncementsHandler implements Router { ...@@ -72,7 +73,17 @@ public final class AnnouncementsHandler implements Router {
} }
private static void getPageResources(Context ctx) { private static void getPageResources(Context ctx) {
try (InputStream filestream = DataLoader.load(ctx.path())) { // Re-process the path - remove the first slash and prevent directory traversal
// (the first slash will act as root path when resolving local path)
String[] path = ctx.path().split("/");
StringJoiner stringJoiner = new StringJoiner("/");
for (String pathName : path) {
// Filter the illegal payload to prevent directory traversal
if (!pathName.isEmpty() && !pathName.equals("..") && !pathName.contains("\\")) {
stringJoiner.add(pathName);
}
}
try (InputStream filestream = DataLoader.load(stringJoiner.toString())) {
String possibleFilename = ctx.path(); String possibleFilename = ctx.path();
ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1)); ContentType fromExtension = ContentType.getContentTypeByExtension(possibleFilename.substring(possibleFilename.lastIndexOf(".") + 1));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment