[SECURITY] Denial of service because of unsafe regex processing

[ghost]

I have tried to contact you by zcool321@sina.com and created #22 asking for the contact. Nobody replied.

The JFinal_cms is vulnerable to regex injection that may lead to Denial of Service.

User controlled path and contextPath are used to build and run a regex expression (first argument to replaceFirst):

jfinal_cms/src/main/java/com/jflyfox/modules/filemanager/FileManager.java

Lines 929 to 949 in 1a96532

	protected String getFilePath() {
	String path = this.get.get("path");
	return getFilePath(path);
	}
	/**
	* get File Path
	* <p>
	* 2016年2月26日 下午3:47:37 flyfox 369191470@qq.com
	*
	* @return
	*/
	protected String getFilePath(String path) {
	String contextPath = this.get.get("contextPath");
	// 根目录
	if (StrUtils.isEmpty(contextPath)) {
	return path;
	}
	if (path.startsWith(contextPath)) {
	path = path.replaceFirst(contextPath, "");

Since the attacker controls the string and the regex pattern he may cause a ReDoS by regex catastrophic backtracking on the server side.

[zcool321]

Thank u for feedback .
for easy, There is a problem.

[ghost]

Hi, is there any update on this?

[ghost]

Mitre assigned CVE-2021-37262 ID for the issue.