From de67796e5224e223dec45a6065fc746234eb4321 Mon Sep 17 00:00:00 2001
From: hfkgkjbkbn <12625328+hfkgkjbkbn@user.noreply.gitee.com>
Date: Thu, 16 Mar 2023 10:41:10 +0000
Subject: [PATCH 1/2] =?UTF-8?q?=E6=9B=B4=E6=96=B0nginxPath=E9=98=B2?=
 =?UTF-8?q?=E6=AD=A2=E8=B7=AF=E5=BE=84=E7=A9=BF=E8=B6=8A=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: hfkgkjbkbn <12625328+hfkgkjbkbn@user.noreply.gitee.com>
---
 src/main/java/com/cym/service/ConfService.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/com/cym/service/ConfService.java b/src/main/java/com/cym/service/ConfService.java
index e2e538ac..7275c467 100644
--- a/src/main/java/com/cym/service/ConfService.java
+++ b/src/main/java/com/cym/service/ConfService.java
@@ -696,6 +696,7 @@ public class ConfService {
 		FileUtil.mkdir(confd);
 
 		// 写入主文件
+		nginxPath.replaceAll("\\.\\./","_");
 		FileUtil.writeString(nginxContent, nginxPath.replace(" ", "_"), StandardCharsets.UTF_8);
 		String decompose = settingService.get("decompose");
 
-- 
Gitee


From 42fe388080f4e6da84dd7f7b0762022f8711263c Mon Sep 17 00:00:00 2001
From: hfkgkjbkbn <12625328+hfkgkjbkbn@user.noreply.gitee.com>
Date: Fri, 17 Mar 2023 05:10:21 +0000
Subject: [PATCH 2/2] =?UTF-8?q?=E5=AF=B9nginx=E5=90=AF=E5=8A=A8=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E8=BF=9B=E8=A1=8C=E6=A0=A1=E9=AA=8C=EF=BC=8C=E9=98=B2?=
 =?UTF-8?q?=E6=AD=A2=E6=BD=9C=E5=9C=A8=E7=9A=84=E5=91=BD=E4=BB=A4=E6=89=A7?=
 =?UTF-8?q?=E8=A1=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: hfkgkjbkbn <12625328+hfkgkjbkbn@user.noreply.gitee.com>
---
 .../com/cym/controller/adminPage/ConfController.java   | 10 ++++++++++
 src/main/java/com/cym/service/ConfService.java         |  1 -
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/main/java/com/cym/controller/adminPage/ConfController.java b/src/main/java/com/cym/controller/adminPage/ConfController.java
index 8effd16a..110af581 100644
--- a/src/main/java/com/cym/controller/adminPage/ConfController.java
+++ b/src/main/java/com/cym/controller/adminPage/ConfController.java
@@ -320,6 +320,16 @@ public class ConfController extends BaseController {
 
 		try {
 			String rs = "";
+			// 过滤特殊字符，防止命令拼接
+			cmd = cmd.replaceAll(";","\\\\;");
+     		cmd = cmd.replaceAll("`","\\\\`");
+     		cmd = cmd.replaceAll("\\|","\\\\|");
+     		cmd = cmd.replaceAll("\\{","\\\\{");
+     		cmd = cmd.replaceAll("\\}","\\\\}");
+			//仅执行nginx相关的命令，而不是其他的恶意命令
+			if(!cmd.contains("nginx")){
+            	cmd = "nginx restart";
+        	}
 			if (SystemTool.isWindows()) {
 				RuntimeUtil.exec("cmd /c start " + cmd);
 			} else {
diff --git a/src/main/java/com/cym/service/ConfService.java b/src/main/java/com/cym/service/ConfService.java
index 7275c467..e2e538ac 100644
--- a/src/main/java/com/cym/service/ConfService.java
+++ b/src/main/java/com/cym/service/ConfService.java
@@ -696,7 +696,6 @@ public class ConfService {
 		FileUtil.mkdir(confd);
 
 		// 写入主文件
-		nginxPath.replaceAll("\\.\\./","_");
 		FileUtil.writeString(nginxContent, nginxPath.replace(" ", "_"), StandardCharsets.UTF_8);
 		String decompose = settingService.get("decompose");
 
-- 
Gitee