From 56bb8bda796ccb05b76d901aae5d2b2df0564383 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=A3=98=E9=9B=AA=E6=B5=81=E9=A3=8E?= <kmlk@vip.qq.com>
Date: Sun, 25 May 2025 05:49:47 +0000
Subject: [PATCH] =?UTF-8?q?update=20src/SSCMS.Web/Controllers/Admin/Cms/Te?=
 =?UTF-8?q?mplates/TemplatesAssetsEditorController.Get.cs.=20//BUG?=
 =?UTF-8?q?=E9=AB=98=E5=8D=B1=E6=BC=8F=E6=B4=9E=EF=BC=9A=E8=AF=BB=E5=8F=96?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6=E6=97=B6=E6=9C=AA=E5=88=A4=E6=96=AD=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E5=90=8E=E7=BC=80=E5=90=8D=EF=BC=8C=E5=AF=BC=E8=87=B4?=
 =?UTF-8?q?=E5=8F=AF=E6=9F=A5=E7=9C=8B=E5=88=B0sscms.json=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E4=B8=AD=E7=9A=84key=E5=92=8C=E6=95=B0=E6=8D=AE?=
 =?UTF-8?q?=E5=BA=93=E8=BF=9E=E6=8E=A5=E9=85=8D=E7=BD=AE=EF=BC=8C=E8=AF=B7?=
 =?UTF-8?q?=E4=BF=AE=E6=94=B9=EF=BC=81=EF=BC=81=EF=BC=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 飘雪流风 <kmlk@vip.qq.com>
---
 .../Cms/Templates/TemplatesAssetsEditorController.Get.cs  | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/SSCMS.Web/Controllers/Admin/Cms/Templates/TemplatesAssetsEditorController.Get.cs b/src/SSCMS.Web/Controllers/Admin/Cms/Templates/TemplatesAssetsEditorController.Get.cs
index ba0b36d16..4ed5c15a0 100644
--- a/src/SSCMS.Web/Controllers/Admin/Cms/Templates/TemplatesAssetsEditorController.Get.cs
+++ b/src/SSCMS.Web/Controllers/Admin/Cms/Templates/TemplatesAssetsEditorController.Get.cs
@@ -1,4 +1,4 @@
-using System.Threading.Tasks;
+using System.Threading.Tasks;
 using Microsoft.AspNetCore.Mvc;
 using SSCMS.Configuration;
 using SSCMS.Utils;
@@ -32,7 +32,9 @@ namespace SSCMS.Web.Controllers.Admin.Cms.Templates
             var path = string.Empty;
             var content = string.Empty;
 
-            var directoryPath = request.DirectoryPath; // PathUtils.RemoveParentPath(request.DirectoryPath);
+            var directoryPath = request.DirectoryPath; 
+            // PathUtils.RemoveParentPath(request.DirectoryPath);
+            //BUG高危漏洞：未判断读取文件夹是否为父文件夹，导致可返回应用程序根目录下中sscms.json文件。
             var fileName = PathUtils.RemoveParentPath(request.FileName);
 
             if (!string.IsNullOrEmpty(fileName))
@@ -41,7 +43,7 @@ namespace SSCMS.Web.Controllers.Admin.Cms.Templates
 
                 if (FileUtils.IsFileExists(filePath))
                 {
-                    content = await FileUtils.ReadTextAsync(filePath);
+                    content = await FileUtils.ReadTextAsync(filePath); //BUG高危漏洞：读取文件时未判断文件后缀名，导致可查看到sscms.json文件中的key和数据库连接配置，请修改！！！
                 }
 
                 if (StringUtils.EqualsIgnoreCase(request.FileType, "html"))
-- 
Gitee