From 75702b9a77ff64f5b38f06b1ddfa8ea11243c757 Mon Sep 17 00:00:00 2001
From: qkqpttgf <45693631+qkqpttgf@users.noreply.github.com>
Date: Tue, 1 Dec 2020 12:56:35 +0800
Subject: [PATCH] fix: #162

---
 common.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/common.php b/common.php
index 99977b7..73c404d 100644
--- a/common.php
+++ b/common.php
@@ -1044,6 +1044,10 @@ function get_thumbnails_url($path = '/', $location = 0)
 
 function bigfileupload($path)
 {
+    if (!$_SERVER['admin']) {
+        if (!is_guestup_path($path)) return output('Not_Guest_Upload_Folder', 400);
+        if (strpos($_GET['upbigfilename'], '../')!==false) return output('Not_Allow_Cross_Path', 400);
+    }
     $path1 = path_format($_SERVER['list_path'] . path_format($path));
     if (substr($path1,-1)=='/') $path1=substr($path1,0,-1);
     if ($_GET['upbigfilename']!=''&&$_GET['filesize']>0) {