修复远程文件文件名带有穿越漏洞的BUG

This commit is contained in:
gaoxiongzaq 2024-03-27 08:55:28 +08:00
parent 59315c3200
commit b65a04857c
2 changed files with 9 additions and 2 deletions

View File

@ -79,7 +79,9 @@ public class WebUtils {
urlStr = clearFullfilenameParam(urlStr);
} else {
fullFileName = getFileNameFromURL(urlStr); //获取文件名
}
if (KkFileUtils.isIllegalFileName(fullFileName)) { //判断文件名是否带有穿越漏洞
return null;
}
if (!UrlEncoderUtils.hasUrlEncoded(fullFileName)) { //判断文件名是否转义
try {

View File

@ -21,6 +21,7 @@ import org.springframework.http.MediaType;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.ResponseBody;
@ -76,7 +77,11 @@ public class OnlinePreviewController {
model.addAttribute("file", fileAttribute);
FilePreview filePreview = previewFactory.get(fileAttribute);
logger.info("预览文件url{}previewType{}", fileUrl, fileAttribute.getType());
return filePreview.filePreviewHandle(WebUtils.urlEncoderencode(fileUrl), model, fileAttribute); //统一在这里处理 url
fileUrl =WebUtils.urlEncoderencode(fileUrl);
if (ObjectUtils.isEmpty(fileUrl)) {
return otherFilePreview.notSupportedFile(model, "非法路径,不允许访问");
}
return filePreview.filePreviewHandle(fileUrl, model, fileAttribute); //统一在这里处理 url
}
@GetMapping( "/picturesPreview")