Skip to content

A
api
Commit 5d7703bb by Lenovo
Options

添加下载路径限制

parent 74cff147
Showing with 20 additions and 17 deletions
src/com/ejweb/core/conf/SecurityPropertyPlaceholderConfigurer.java
...@@ -79,6 +79,7 @@ public class SecurityPropertyPlaceholderConfigurer extends PropertyPlaceholderCo ...@@ -79,6 +79,7 @@ public class SecurityPropertyPlaceholderConfigurer extends PropertyPlaceholderCo
public static void main(String[] args) { public static void main(String[] args) {
System.out.println(DES3Utils.encrypt("foctest", CONF_DESC_KEY)); System.out.println(DES3Utils.encrypt("foctest", CONF_DESC_KEY));
System.out.println(DES3Utils.decrypt("69872b2310ba9b30470ce46682151021e825c3909c394aa5f4387123bdbfa67e", CONF_DESC_KEY)); System.out.println(DES3Utils.decrypt("35824f37e331a42e669a52e248d88ffb6474030c906ec914", CONF_DESC_KEY));
System.out.println(DES3Utils.decrypt("6f2237c231b1464c6474030c906ec914", CONF_DESC_KEY));
} }
} }
src/com/ejweb/modules/upload/api/UploadController.java
...@@ -38,11 +38,10 @@ import java.util.List; ...@@ -38,11 +38,10 @@ import java.util.List;
import java.util.Map; import java.util.Map;
/** /**
* @team IT Team
* @author renmb * @author renmb
* @version 1.0 * @version 1.0
* @team IT Team
* @time 2016-03-22 * @time 2016-03-22
*
*/ */
@Controller @Controller
@RequestMapping(value = "/api/upload") @RequestMapping(value = "/api/upload")
...@@ -55,11 +54,11 @@ public class UploadController { ...@@ -55,11 +54,11 @@ public class UploadController {
/** /**
* 使用BASE64上传文件 * 使用BASE64上传文件
* *
* @author renmb
* @time 2016年11月1日
* @param request * @param request
* @param requestBean * @param requestBean
* @return * @return
* @author renmb
* @time 2016年11月1日
*/ */
@ResponseBody @ResponseBody
@RequestMapping("/base64") @RequestMapping("/base64")
...@@ -284,7 +283,11 @@ public class UploadController { ...@@ -284,7 +283,11 @@ public class UploadController {
InputStream in = null; InputStream in = null;
OutputStream out = null; OutputStream out = null;
try { try {
if (bean.getPath() != null) {
if (bean.getPath().indexOf("../") != -1) {
return;
}
}
// 设置文件MIME类型 // 设置文件MIME类型
response.setContentType("application/form-data;charset=utf-8"); response.setContentType("application/form-data;charset=utf-8");
// String downloadFileName=Encodes.urlEncode(bean.getName()); // String downloadFileName=Encodes.urlEncode(bean.getName());
...@@ -302,8 +305,8 @@ public class UploadController { ...@@ -302,8 +305,8 @@ public class UploadController {
// 获取目标文件的绝对路径 // 获取目标文件的绝对路径
// String fullFileName = GConstants.FILE_UPLOAD_DIR + bean.getPath(); // String fullFileName = GConstants.FILE_UPLOAD_DIR + bean.getPath();
File downloadFile = new File(GConstants.FILE_UPLOAD_DIR, bean.getPath()); File downloadFile = new File(GConstants.FILE_UPLOAD_DIR, bean.getPath());
LOG.error("文件下载地址:"+downloadFile.getAbsolutePath()); LOG.error("文件下载地址:" + downloadFile.getAbsolutePath());
System.out.println("文件下载地址:"+downloadFile.getAbsolutePath()); System.out.println("文件下载地址:" + downloadFile.getAbsolutePath());
// 读取文件 // 读取文件
in = new FileInputStream(downloadFile); in = new FileInputStream(downloadFile);
out = response.getOutputStream(); out = response.getOutputStream();
...@@ -324,7 +327,7 @@ public class UploadController { ...@@ -324,7 +327,7 @@ public class UploadController {
} }
} }
// public static String GetImageStr(String imgFile) // public static String GetImageStr(String imgFile)
// {//将图片文件转化为字节数组字符串,并对其进行Base64编码处理 // {//将图片文件转化为字节数组字符串,并对其进行Base64编码处理
//// String imgFile = "d://test.jpg";//待处理的图片 //// String imgFile = "d://test.jpg";//待处理的图片
// InputStream in = null; // InputStream in = null;
...@@ -400,12 +403,12 @@ public class UploadController { ...@@ -400,12 +403,12 @@ public class UploadController {
@RequestMapping("/verifFile") @RequestMapping("/verifFile")
public ResponseBean verifFile(HttpServletRequest request, RequestBean requestBean) { public ResponseBean verifFile(HttpServletRequest request, RequestBean requestBean) {
ResponseBean responseBean = new ResponseBean(); ResponseBean responseBean = new ResponseBean();
String stream=request.getParameter("fileStream"); String stream = request.getParameter("fileStream");
String filePath=request.getParameter("filePath"); String filePath = request.getParameter("filePath");
String fileDir=request.getParameter("fileDir"); String fileDir = request.getParameter("fileDir");
ByteArrayInputStream bais = null; ByteArrayInputStream bais = null;
FileOutputStream ostream = null; FileOutputStream ostream = null;
try{ try {
byte buf[] = stream.getBytes("utf-8"); byte buf[] = stream.getBytes("utf-8");
bais = new ByteArrayInputStream(buf); bais = new ByteArrayInputStream(buf);
POIFSFileSystem poifs = new POIFSFileSystem(); POIFSFileSystem poifs = new POIFSFileSystem();
...@@ -413,12 +416,11 @@ public class UploadController { ...@@ -413,12 +416,11 @@ public class UploadController {
directory.createDocument("WordDocument", bais); directory.createDocument("WordDocument", bais);
// 文件保存地址 // 文件保存地址
File uploadFilePath = new File(GConstants.FILE_UPLOAD_DIR,filePath); File uploadFilePath = new File(GConstants.FILE_UPLOAD_DIR, filePath);
if(uploadFilePath.exists()) if (uploadFilePath.exists()) {
{
return responseBean; return responseBean;
} }
File baseUploadDir = new File(GConstants.FILE_UPLOAD_DIR,fileDir); File baseUploadDir = new File(GConstants.FILE_UPLOAD_DIR, fileDir);
if (!baseUploadDir.exists()) {// 如果文件夹不存在则创建 if (!baseUploadDir.exists()) {// 如果文件夹不存在则创建
baseUploadDir.mkdirs(); baseUploadDir.mkdirs();
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment