Andreas/siyuan
1
0
Fork 0
mirror of https://github.com/siyuan-note/siyuan.git synced 2026-01-19 14:56:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

🔒 Arbitrary file reading vulnerability https://github.com/siyuan-note/siyuan/issues/16860

Browse source 
Signed-off-by: Daniel <845765@qq.com>
This commit is contained in:
Daniel 2026-01-18 17:23:26 +08:00
parent f922745aa7
commit b2274baba2
No known key found for this signature in database
GPG key ID: 86211BA83DF03017
3 changed files with 118 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
kernel/model/assets.go
View file

@ -248,7 +248,18 @@ func netAssets2LocalAssets0(tree *parse.Tree, onlyImg bool, originalURL string,
u = u[:strings.Index(u, "?")]
}
if !gulu.File.IsExist(u) || gulu.File.IsDir(u) {
if !gulu.File.IsExist(u) {
logging.LogErrorf("local file asset [%s] not exist", u)
continue
}
if gulu.File.IsDir(u) {
logging.LogWarnf("ignore converting directory path [%s] to local asset", u)
continue
}
if util.IsSensitivePath(u) {
logging.LogWarnf("ignore converting sensitive path [%s] to local asset", u)
continue
}