diff --git a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java index 3b919a97..1848cada 100644 --- a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java +++ b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java @@ -106,6 +106,12 @@ public class OnlinePreviewController { */ @RequestMapping(value = "/getCorsFile", method = RequestMethod.GET) public void getCorsFile(String urlPath, HttpServletResponse response) { + try { + urlPath = new String(Base64.decodeBase64(urlPath), StandardCharsets.UTF_8); + } catch (Exception ex) { + logger.error(String.format(BASE64_DECODE_ERROR_MSG, urlPath, ex)); + return; + } if (urlPath == null || urlPath.toLowerCase().startsWith("file:") || urlPath.toLowerCase().startsWith("file%3") || !urlPath.toLowerCase().startsWith("http")) { logger.info("读取跨域文件异常,可能存在非法访问,urlPath:{}", urlPath); return; diff --git a/server/src/main/resources/web/pdf.ftl b/server/src/main/resources/web/pdf.ftl index 7827fcb6..782a0d5a 100644 --- a/server/src/main/resources/web/pdf.ftl +++ b/server/src/main/resources/web/pdf.ftl @@ -25,7 +25,7 @@ var url = '${finalUrl}'; var baseUrl = '${baseUrl}'.endsWith('/') ? '${baseUrl}' : '${baseUrl}' + '/'; if (!url.startsWith(baseUrl)) { - url = baseUrl + 'getCorsFile?urlPath=' + encodeURIComponent(url); + url = baseUrl + 'getCorsFile?urlPath=' + encodeURIComponent(Base64.encode(url)); } document.getElementsByTagName('iframe')[0].src = "${baseUrl}pdfjs/web/viewer.html?file=" + encodeURIComponent(url) + "&disablepresentationmode=${pdfPresentationModeDisable}&disableopenfile=${pdfOpenFileDisable}&disableprint=${pdfPrintDisable}&disabledownload=${pdfDownloadDisable}&disablebookmark=${pdfBookmarkDisable}"; document.getElementsByTagName('iframe')[0].height = document.documentElement.clientHeight - 10; @@ -52,4 +52,4 @@ initWaterMark(); } - \ No newline at end of file +