github
/
RuoYi
mirror of https://gitee.com/y_project/RuoYi.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

修复界面存在的一些安全问题

pull/74/head
RuoYi 2019-02-27 12:29:03 +08:00
parent d399160a0b
commit 807b723116
6 changed files with 47 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
pom.xml
View File

@ -20,7 +20,7 @@
<shiro.version>1.4.0</shiro.version>
<thymeleaf.extras.shiro.version>2.0.0</thymeleaf.extras.shiro.version>
<mybatis.boot.version>1.3.2</mybatis.boot.version>
<druid.version>1.1.10</druid.version>
<druid.version>1.1.13</druid.version>
<bitwalker.version>1.19</bitwalker.version>
<kaptcha.version>2.3.2</kaptcha.version>
<swagger.version>2.7.0</swagger.version>

7
ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java
View File

@ -14,6 +14,7 @@ import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.multipart.MultipartFile;
import com.ruoyi.common.base.AjaxResult;
import com.ruoyi.common.config.Global;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.file.FileUploadUtils;
import com.ruoyi.common.utils.file.FileUtils;
import com.ruoyi.framework.config.ServerConfig;
@ -45,9 +46,13 @@ public class CommonController
@GetMapping("common/download")
public void fileDownload(String fileName, Boolean delete, HttpServletResponse response, HttpServletRequest request)
{
String realFileName = System.currentTimeMillis() + fileName.substring(fileName.indexOf("_") + 1);
try
{
if (!FileUtils.isValidFilename(fileName))
{
throw new Exception(StringUtils.format(" 文件名称({})非法,不允许下载。 ", fileName));
}
String realFileName = System.currentTimeMillis() + fileName.substring(fileName.indexOf("_") + 1);
String filePath = Global.getDownloadPath() + fileName;
response.setCharacterEncoding("utf-8");

1
ruoyi-admin/src/main/resources/static/ruoyi/js/ry-ui.js
View File

@ -282,7 +282,6 @@
url: options.url, // 请求后台的URL*
ajaxParams: options.ajaxParams, // 请求数据的ajax的data属性
height: options.height, // 表格树的高度
ajaxParams: {}, // 请求数据的ajax的data属性
expandColumn: options.expandColumn, // 在哪一列上面显示展开按钮
striped: options.striped, // 是否显示行间隔色
bordered: true, // 是否显示边框

5
ruoyi-common/src/main/java/com/ruoyi/common/page/PageDomain.java
View File

@ -1,6 +1,7 @@
package com.ruoyi.common.page;
import com.ruoyi.common.utils.StringUtils;
import com.ruoyi.common.utils.sql.SqlUtil;
/**
*
@ -57,7 +58,7 @@ public class PageDomain
public void setOrderByColumn(String orderByColumn)
{
this.orderByColumn = orderByColumn;
this.orderByColumn = SqlUtil.escapeSql(orderByColumn);
}
public String getIsAsc()
@ -67,6 +68,6 @@ public class PageDomain
public void setIsAsc(String isAsc)
{
this.isAsc = isAsc;
this.isAsc = SqlUtil.escapeSql(isAsc);
}
}

13
ruoyi-common/src/main/java/com/ruoyi/common/utils/file/FileUtils.java
View File

@ -13,6 +13,8 @@ import java.io.OutputStream;
*/
public class FileUtils
{
public static String FILENAME_PATTERN = "[a-zA-Z0-9_\\-\\|\\.\\u4e00-\\u9fa5]+";
/**
* byte
*
@ -87,4 +89,15 @@ public class FileUtils
}
return flag;
}
/**
*
*
* @param filename
* @return true false
*/
public static boolean isValidFilename(String filename)
{
return filename.matches(FILENAME_PATTERN);
}
}

24
ruoyi-common/src/main/java/com/ruoyi/common/utils/sql/SqlUtil.java Normal file
View File

@ -0,0 +1,24 @@
package com.ruoyi.common.utils.sql;
import com.ruoyi.common.utils.StringUtils;
/**
* sql
*
* @author ruoyi
*/
public class SqlUtil
{
/**
* sql
*/
public static String escapeSql(String value)
{
if (StringUtils.isNotEmpty(value))
{
value = value.replaceAll("\\(", "");
value = value.replaceAll("\\)", "");
}
return value;
}
}