bugfix: arbitrary file reading

5eec7c31 · 710leo · c5ba127b · 5eec7c31
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

src/modules/monapi/http/router_tpl.go src/modules/monapi/http/router_tpl.go +3 -1

未找到文件。
--- a/src/modules/monapi/http/router_tpl.go
+++ b/src/modules/monapi/http/router_tpl.go
 package http

 import (
+	"path"
+
 	"github.com/didi/nightingale/src/modules/monapi/config"

 	"github.com/gin-gonic/gin"
@@ -27,7 +29,7 @@ func tplNameGets(c *gin.Context) {
 }

 func tplGet(c *gin.Context) {
-	tplName := mustQueryStr(c, "tplName")
+	tplName := path.Base(mustQueryStr(c, "tplName"))
 	tplType := mustQueryStr(c, "tplType")

 	var filePath string