GateOne CVE-2020-35736 任意文件读取漏洞复现

def get(self, path, include_body=True):    session_dir = self.settings['session_dir']    user = self.current_user    if user and 'session' in user:        session = user['session']    else:        logger.error(_("DownloadHandler: Could not determine use session"))        return # Something is wrong    filepath = os.path.join(session_dir, session, 'downloads', path)    abspath = os.path.abspath(filepath)    if not os.path.exists(abspath):        self.set_status(404)        self.write(self.get_error_html(404))        return    if not os.path.isfile(abspath):        raise tornado.web.HTTPError(403, "%s is not a file", path)

docker pull liftoff/gateone

#Commanddocker run [-d/-t] -p [443]:8000 -h [hostname] --name gateone liftoff/gateone gateone#For example, if 443 is occupied on the server, please use another unused port.docker run -t -p 443:48620 -h Rats --name gateone liftoff/gateone gateone

https://github.com/liftoff/GateOne/issues/747