From b65a04857cebab2692d14ab7cdb318c2f67ee537 Mon Sep 17 00:00:00 2001
From: gaoxiongzaq <admin@cxcp.com>
Date: Wed, 27 Mar 2024 08:55:28 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=BF=9C=E7=A8=8B=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6=E6=96=87=E4=BB=B6=E5=90=8D=E5=B8=A6=E6=9C=89=E7=A9=BF?=
 =?UTF-8?q?=E8=B6=8A=E6=BC=8F=E6=B4=9E=E7=9A=84BUG?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/src/main/java/cn/keking/utils/WebUtils.java         | 4 +++-
 .../cn/keking/web/controller/OnlinePreviewController.java  | 7 ++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/server/src/main/java/cn/keking/utils/WebUtils.java b/server/src/main/java/cn/keking/utils/WebUtils.java
index 2209b94c..de14fb64 100644
--- a/server/src/main/java/cn/keking/utils/WebUtils.java
+++ b/server/src/main/java/cn/keking/utils/WebUtils.java
@@ -79,7 +79,9 @@ public class WebUtils {
             urlStr = clearFullfilenameParam(urlStr);
         } else {
             fullFileName = getFileNameFromURL(urlStr); //获取文件名
-
+        }
+        if (KkFileUtils.isIllegalFileName(fullFileName)) { //判断文件名是否带有穿越漏洞
+            return null;
         }
         if (!UrlEncoderUtils.hasUrlEncoded(fullFileName)) {  //判断文件名是否转义
             try {
diff --git a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
index f100600b..bd324d57 100644
--- a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
+++ b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
@@ -21,6 +21,7 @@ import org.springframework.http.MediaType;
 import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
+import org.springframework.util.ObjectUtils;
 import org.springframework.util.StringUtils;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
@@ -76,7 +77,11 @@ public class OnlinePreviewController {
         model.addAttribute("file", fileAttribute);
         FilePreview filePreview = previewFactory.get(fileAttribute);
         logger.info("预览文件url：{}，previewType：{}", fileUrl, fileAttribute.getType());
-        return filePreview.filePreviewHandle(WebUtils.urlEncoderencode(fileUrl), model, fileAttribute);  //统一在这里处理 url
+        fileUrl =WebUtils.urlEncoderencode(fileUrl);
+        if (ObjectUtils.isEmpty(fileUrl)) {
+            return otherFilePreview.notSupportedFile(model, "非法路径,不允许访问");
+        }
+        return filePreview.filePreviewHandle(fileUrl, model, fileAttribute);  //统一在这里处理 url
     }
 
     @GetMapping( "/picturesPreview")