gitee
/
file-online-preview
mirror of https://gitee.com/kekingcn/file-online-preview
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

NULL地址不允许预览

pull/54/MERGE
陈精华 2 years ago
parent
af752cfa13
commit
d78351f72c
No known key found for this signature in database
GPG Key ID: 30BDC970902B755D
2 changed files with 31 additions and 11 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      server/src/main/java/cn/keking/web/controller/FileController.java
  2. 20
      server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java

22
server/src/main/java/cn/keking/web/controller/FileController.java
Unescape View File

@ -3,7 +3,6 @@ package cn.keking.web.controller;
import cn.keking.config.ConfigConstants; import cn.keking.config.ConfigConstants;
import cn.keking.model.ReturnResponse; import cn.keking.model.ReturnResponse;
import cn.keking.utils.KkFileUtils; import cn.keking.utils.KkFileUtils;
import com.fasterxml.jackson.core.JsonProcessingException;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.springframework.util.StreamUtils; import org.springframework.util.StreamUtils;
@ -15,11 +14,14 @@ import org.springframework.web.multipart.MultipartFile;
import org.springframework.web.util.HtmlUtils; import org.springframework.web.util.HtmlUtils;
import java.io.File; import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.OutputStream; import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.HashMap; import java.util.HashMap;
@ -41,7 +43,7 @@ public class FileController {
private final String demoPath = demoDir + File.separator; private final String demoPath = demoDir + File.separator;
@PostMapping("/fileUpload") @PostMapping("/fileUpload")
public ReturnResponse<Object> fileUpload(@RequestParam("file") MultipartFile file) throws JsonProcessingException { public ReturnResponse<Object> fileUpload(@RequestParam("file") MultipartFile file) {
if (ConfigConstants.getFileUploadDisable()) { if (ConfigConstants.getFileUploadDisable()) {
return ReturnResponse.failure("文件传接口已禁用"); return ReturnResponse.failure("文件传接口已禁用");
} }
@ -71,7 +73,7 @@ public class FileController {
logger.error("创建文件夹【{}】失败,请检查目录权限!", fileDir + demoPath); logger.error("创建文件夹【{}】失败,请检查目录权限!", fileDir + demoPath);
} }
logger.info("上传文件:{}", fileDir + demoPath + fileName); logger.info("上传文件:{}", fileDir + demoPath + fileName);
try (InputStream in = file.getInputStream(); OutputStream out = new FileOutputStream(fileDir + demoPath + fileName)) { try (InputStream in = file.getInputStream(); OutputStream out = Files.newOutputStream(Paths.get(fileDir + demoPath + fileName))) {
StreamUtils.copy(in, out); StreamUtils.copy(in, out);
return ReturnResponse.success(null); return ReturnResponse.success(null);
} catch (IOException e) { } catch (IOException e) {
@ -81,7 +83,15 @@ public class FileController {
} }
@GetMapping("/deleteFile") @GetMapping("/deleteFile")
public ReturnResponse<Object> deleteFile(String fileName) throws JsonProcessingException { public ReturnResponse<Object> deleteFile(String fileName) {
if (fileName == null || fileName.length() == 0) {
return ReturnResponse.failure("文件名为空,删除失败!");
}
try {
fileName = URLDecoder.decode(fileName, StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
if (fileName.contains("/")) { if (fileName.contains("/")) {
fileName = fileName.substring(fileName.lastIndexOf("/") + 1); fileName = fileName.substring(fileName.lastIndexOf("/") + 1);
} }
@ -99,7 +109,7 @@ public class FileController {
} }
@GetMapping("/listFiles") @GetMapping("/listFiles")
public List<Map<String, String>> getFiles() throws JsonProcessingException { public List<Map<String, String>> getFiles() {
List<Map<String, String>> list = new ArrayList<>(); List<Map<String, String>> list = new ArrayList<>();
File file = new File(fileDir + demoPath); File file = new File(fileDir + demoPath);
if (file.exists()) { if (file.exists()) {

20
server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
Unescape View File

@ -23,7 +23,6 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection; import java.net.HttpURLConnection;
import java.net.URL; import java.net.URL;
import java.util.Arrays; import java.util.Arrays;
@ -54,6 +53,10 @@ public class OnlinePreviewController {
@GetMapping( "/onlinePreview") @GetMapping( "/onlinePreview")
public String onlinePreview(String url, Model model, HttpServletRequest req) { public String onlinePreview(String url, Model model, HttpServletRequest req) {
if (url == null || url.length() == 0){
logger.info("URL异常:{}", url);
return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览");
}
String fileUrl; String fileUrl;
try { try {
fileUrl = WebUtils.decodeUrl(url); fileUrl = WebUtils.decodeUrl(url);
@ -69,12 +72,12 @@ public class OnlinePreviewController {
} }
@GetMapping( "/picturesPreview") @GetMapping( "/picturesPreview")
public String picturesPreview(String urls, Model model, HttpServletRequest req) throws UnsupportedEncodingException { public String picturesPreview(String urls, Model model, HttpServletRequest req) {
String fileUrls;
if (urls == null || urls.length() == 0){ if (urls == null || urls.length() == 0){
logger.info("URL异常:{}", urls); logger.info("URL异常:{}", urls);
return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览"); return otherFilePreview.notSupportedFile(model, "NULL地址不允许预览");
} }
String fileUrls;
try { try {
fileUrls = WebUtils.decodeUrl(urls); fileUrls = WebUtils.decodeUrl(urls);
// 防止XSS攻击 // 防止XSS攻击
@ -106,7 +109,14 @@ public class OnlinePreviewController {
* @param response response * @param response response
*/ */
@GetMapping("/getCorsFile") @GetMapping("/getCorsFile")
public void getCorsFile(String urlPath, HttpServletResponse response) { public void getCorsFile(String urlPath, HttpServletResponse response) throws IOException {
if (urlPath == null || urlPath.length() == 0){
logger.info("URL异常:{}", urlPath);
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
response.setHeader("Content-Type", "text/html; charset=UTF-8");
response.getWriter().println("NULL地址不允许预览");
return;
}
try { try {
urlPath = WebUtils.decodeUrl(urlPath); urlPath = WebUtils.decodeUrl(urlPath);
} catch (Exception ex) { } catch (Exception ex) {

Write Preview
Loading…
Cancel
Save