From dad269b6e2c71877ebf0a4db6674e858c9caef2f Mon Sep 17 00:00:00 2001
From: filesite <release@filesite.io>
Date: Sat, 29 Oct 2022 17:03:47 +0800
Subject: [PATCH] move function improve to disable ../ in from and to directory

---
 controller/ApiController.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/controller/ApiController.php b/controller/ApiController.php
index d18a221..9e501f5 100644
--- a/controller/ApiController.php
+++ b/controller/ApiController.php
@@ -53,7 +53,7 @@ Class ApiController extends Controller {
 
         $realpath = preg_replace('/\/$/', '', $realpath);
         $arr = explode('/', $realpath);
-        if (count($arr) < 2) {return '/';}
+        if (count($arr) < 2 || empty($arr[0])) {return '/';}
 
         array_pop($arr);
         return implode('/', $arr);
@@ -61,7 +61,7 @@ Class ApiController extends Controller {
 
     //判断父目录是否合法
     protected function isParentDirectoryValid($parentDir) {
-        if (empty($parentDir) || strpos($parentDir, '../') !== false) {
+        if (empty($parentDir) || strpos($parentDir, '..') !== false) {
             return false;
         }else if ($realpath == '/') {
             return true;
@@ -286,7 +286,7 @@ Class ApiController extends Controller {
                 return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
             }
 
-            $fromFile = str_replace("{$fromParent}/", '', $fromDir);
+            $fromFile = $this->basename($fromDir);
             $toDir = preg_match('/\/$/', $toDir) ? "{$toDir}{$fromFile}" : "{$toDir}/{$fromFile}";
         }