5 лет назад · 59d6b3e65e
--- a/src/server/routes/admin.js
+++ b/src/server/routes/admin.js
@@ -325,7 +325,7 @@ module.exports = function(crowi, app) {
 
															   api.validators.export.download = function() {
														
 
															     const validator = [
														
 
															-      // https://regex101.com/r/mD4eZs/4
														
 
															+      // https://regex101.com/r/mD4eZs/6
														
 
															       // prevent from pass traversal attack
														
 
															       param('fileName').not().matches(/(\.\.\/|\.\.\\)/),
														
 
															     ];
														
--- a/src/server/routes/apiv3/export.js
+++ b/src/server/routes/apiv3/export.js
@@ -62,7 +62,7 @@ module.exports = (crowi) => {
 
															   const validator = {
														
 
															     deleteFile: [
														
 
															-      // https://regex101.com/r/mD4eZs/4
														
 
															+      // https://regex101.com/r/mD4eZs/6
														
 
															       // prevent from unexpecting attack doing delete file (path traversal attack)
														
 
															       param('fileName').not().matches(/(\.\.\/|\.\.\\)/),
														
 
															     ],
														
--- a/src/server/service/import.js
+++ b/src/server/service/import.js
@@ -369,7 +369,7 @@ class ImportService {
 
															     unzipStream.on('entry', (entry) => {
														
 
															       const fileName = entry.path;
														
 
															-      // https://regex101.com/r/mD4eZs/4
														
 
															+      // https://regex101.com/r/mD4eZs/6
														
 
															       // prevent from unexpecting attack doing unzip file (path traversal attack)
														
 
															       // FOR EXAMPLE
														
 
															       // ../../src/server/views/admin/markdown.html