By pass security check: do not allow ../ in path
In January, Hexo fixed an arbitrary file read vulnerability:
After a brief thought, I found that this safety check is incomplete,that is to say, I can bypass here
In windows, I can use
The Linux file system does not support reading backslashes, theoretically it can be read through
..\/..\/..\/..\/..\/etc/passwd,but I did not verify successfully on Linux. This operation was only verified successfully in the Windows environment.
So my suggestion is not only to do not allow
../ in path, also to do not allow
..\ in path, or change
The issue is currently being resolved: https://github.com/hexojs/hexo/pull/5251
This article is for study and communication. It is strictly forbidden to use it for illegal operations. All consequences shall be borne by yourself. Reading this article means that you have agreed to this statement.