From d78351f72c4361c2020c9e90bf16c015ba45be6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E9=99=88=E7=B2=BE=E5=8D=8E?= <842761733@qq.com> Date: Wed, 14 Dec 2022 09:40:37 +0800 Subject: [PATCH] =?UTF-8?q?NULL=E5=9C=B0=E5=9D=80=E4=B8=8D=E5=85=81?= =?UTF-8?q?=E8=AE=B8=E9=A2=84=E8=A7=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../keking/web/controller/FileController.java | 22 ++++++++++++++----- .../controller/OnlinePreviewController.java | 20 ++++++++++++----- 2 files changed, 31 insertions(+), 11 deletions(-) diff --git a/server/src/main/java/cn/keking/web/controller/FileController.java b/server/src/main/java/cn/keking/web/controller/FileController.java index 3151a864..3bcdd32b 100644 --- a/server/src/main/java/cn/keking/web/controller/FileController.java +++ b/server/src/main/java/cn/keking/web/controller/FileController.java @@ -3,7 +3,6 @@ package cn.keking.web.controller; import cn.keking.config.ConfigConstants; import cn.keking.model.ReturnResponse; import cn.keking.utils.KkFileUtils; -import com.fasterxml.jackson.core.JsonProcessingException; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.springframework.util.StreamUtils; @@ -15,11 +14,14 @@ import org.springframework.web.multipart.MultipartFile; import org.springframework.web.util.HtmlUtils; import java.io.File; -import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.io.UnsupportedEncodingException; +import java.net.URLDecoder; import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.nio.file.Paths; import java.util.ArrayList; import java.util.Arrays; import java.util.HashMap; @@ -41,7 +43,7 @@ public class FileController { private final String demoPath = demoDir + File.separator; @PostMapping("/fileUpload") - public ReturnResponse fileUpload(@RequestParam("file") MultipartFile file) throws JsonProcessingException { + public ReturnResponse fileUpload(@RequestParam("file") MultipartFile file) { if (ConfigConstants.getFileUploadDisable()) { return ReturnResponse.failure("文件传接口已禁用"); } @@ -71,7 +73,7 @@ public class FileController { logger.error("创建文件夹【{}】失败,请检查目录权限!", fileDir + demoPath); } logger.info("上传文件:{}", fileDir + demoPath + fileName); - try (InputStream in = file.getInputStream(); OutputStream out = new FileOutputStream(fileDir + demoPath + fileName)) { + try (InputStream in = file.getInputStream(); OutputStream out = Files.newOutputStream(Paths.get(fileDir + demoPath + fileName))) { StreamUtils.copy(in, out); return ReturnResponse.success(null); } catch (IOException e) { @@ -81,7 +83,15 @@ public class FileController { } @GetMapping("/deleteFile") - public ReturnResponse deleteFile(String fileName) throws JsonProcessingException { + public ReturnResponse deleteFile(String fileName) { + if (fileName == null || fileName.length() == 0) { + return ReturnResponse.failure("文件名为空,删除失败!"); + } + try { + fileName = URLDecoder.decode(fileName, StandardCharsets.UTF_8.name()); + } catch (UnsupportedEncodingException e) { + e.printStackTrace(); + } if (fileName.contains("/")) { fileName = fileName.substring(fileName.lastIndexOf("/") + 1); } @@ -99,7 +109,7 @@ public class FileController { } @GetMapping("/listFiles") - public List> getFiles() throws JsonProcessingException { + public List> getFiles() { List> list = new ArrayList<>(); File file = new File(fileDir + demoPath); if (file.exists()) { diff --git a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java index 4e655346..24be0d86 100644 --- a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java +++ b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java @@ -23,7 +23,6 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; import java.io.InputStream; -import java.io.UnsupportedEncodingException; import java.net.HttpURLConnection; import java.net.URL; import java.util.Arrays; @@ -54,6 +53,10 @@ public class OnlinePreviewController { @GetMapping( "/onlinePreview") public String onlinePreview(String url, Model model, HttpServletRequest req) { + if (url == null || url.length() == 0){ + logger.info("URL异常:{}", url); + return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览"); + } String fileUrl; try { fileUrl = WebUtils.decodeUrl(url); @@ -69,12 +72,12 @@ public class OnlinePreviewController { } @GetMapping( "/picturesPreview") - public String picturesPreview(String urls, Model model, HttpServletRequest req) throws UnsupportedEncodingException { - String fileUrls; + public String picturesPreview(String urls, Model model, HttpServletRequest req) { if (urls == null || urls.length() == 0){ logger.info("URL异常:{}", urls); - return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览:"); + return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览"); } + String fileUrls; try { fileUrls = WebUtils.decodeUrl(urls); // 防止XSS攻击 @@ -106,7 +109,14 @@ public class OnlinePreviewController { * @param response response */ @GetMapping("/getCorsFile") - public void getCorsFile(String urlPath, HttpServletResponse response) { + public void getCorsFile(String urlPath, HttpServletResponse response) throws IOException { + if (urlPath == null || urlPath.length() == 0){ + logger.info("URL异常:{}", urlPath); + response.setStatus(HttpServletResponse.SC_BAD_REQUEST); + response.setHeader("Content-Type", "text/html; charset=UTF-8"); + response.getWriter().println("NULL地址不允许预览"); + return; + } try { urlPath = WebUtils.decodeUrl(urlPath); } catch (Exception ex) {