From 19dea052371d4b3fe90650fa3f49d7bf0cff31a8 Mon Sep 17 00:00:00 2001
From: Zheng Jie <201507802@qq.com>
Date: Mon, 17 Apr 2023 10:21:25 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=AF=B9=E6=96=87=E4=BB=B6?=
 =?UTF-8?q?=E4=B8=8A=E4=BC=A0=E7=9A=84=E9=AA=8C=E8=AF=81=EF=BC=9A=E8=BF=87?=
 =?UTF-8?q?=E6=BB=A4=E6=8E=89=E6=96=87=E4=BB=B6=E5=90=8D=E4=B8=AD=E7=9A=84?=
 =?UTF-8?q?=E9=9D=9E=E6=B3=95=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../main/java/me/zhengjie/utils/FileUtil.java | 41 ++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java b/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
index 0d8d5fb4..ca2b674d 100644
--- a/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
+++ b/eladmin-common/src/main/java/me/zhengjie/utils/FileUtil.java
@@ -182,7 +182,8 @@ public class FileUtil extends cn.hutool.core.io.FileUtil {
     public static File upload(MultipartFile file, String filePath) {
         Date date = new Date();
         SimpleDateFormat format = new SimpleDateFormat("yyyyMMddhhmmssS");
-        String name = getFileNameNoEx(file.getOriginalFilename());
+        // 过滤非法文件名
+        String name = getFileNameNoEx(verifyFilename(file.getOriginalFilename()));
         String suffix = getExtensionName(file.getOriginalFilename());
         String nowStr = "-" + format.format(date);
         try {
@@ -350,6 +351,44 @@ public class FileUtil extends cn.hutool.core.io.FileUtil {
         }
     }
 
+    /**
+     * 验证并过滤非法的文件名
+     * @param fileName 文件名
+     * @return 文件名
+     */
+    public static String verifyFilename(String fileName) {
+        // 过滤掉特殊字符
+        fileName = fileName.replaceAll("[\\\\/:*?\"<>|~\\s]", "");
+
+        // 去掉文件名开头和结尾的空格和点
+        fileName = fileName.trim().replaceAll("^[. ]+|[. ]+$", "");
+
+        // 不允许文件名超过255（在Mac和Linux中）或260（在Windows中）个字符
+        int maxFileNameLength = 255;
+        if (System.getProperty("os.name").startsWith("Windows")) {
+            maxFileNameLength = 260;
+        }
+        if (fileName.length() > maxFileNameLength) {
+            fileName = fileName.substring(0, maxFileNameLength);
+        }
+
+        // 过滤掉控制字符
+        fileName = fileName.replaceAll("[\\p{Cntrl}]", "");
+
+        // 过滤掉 ".." 路径
+        fileName = fileName.replaceAll("\\.{2,}", "");
+
+        // 去掉文件名开头的 ".."
+        fileName = fileName.replaceAll("^\\.+/", "");
+
+        // 保留文件名中最后一个 "." 字符，过滤掉其他 "."
+        fileName = fileName.replaceAll("^(.*)(\\.[^.]*)$", "$1").replaceAll("\\.", "") +
+                fileName.replaceAll("^(.*)(\\.[^.]*)$", "$2");
+
+        return fileName;
+    }
+
+
     public static String getMd5(File file) {
         return getMd5(getByte(file));
     }