From 18929de9c1145e3aeb3c755f30b3789144b9b142 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E5=98=89?= Date: Tue, 18 Apr 2023 10:45:45 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AF=B9=E4=B8=8A=E4=BC=A0=E7=9A=84=E6=96=87?= =?UTF-8?q?=E4=BB=B6=E5=90=8D=E8=BF=9B=E8=A1=8C=E5=AE=89=E5=85=A8=E8=BF=87?= =?UTF-8?q?=E6=BB=A4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../huawei/datashow/service/UploadFileServiceImpl.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/main/java/com/huawei/datashow/service/UploadFileServiceImpl.java b/src/main/java/com/huawei/datashow/service/UploadFileServiceImpl.java index 9884792..f78e9d5 100644 --- a/src/main/java/com/huawei/datashow/service/UploadFileServiceImpl.java +++ b/src/main/java/com/huawei/datashow/service/UploadFileServiceImpl.java @@ -28,6 +28,10 @@ public class UploadFileServiceImpl implements UploadFileService throw new IOException(); } else { String originalFilename = file.getOriginalFilename(); + //对文件名进行安全过滤 + if ( originalFilename.contains("..") || originalFilename.contains("/") || originalFilename.contains("\\")) { + throw new IOException(); + } String fileType = originalFilename.substring(originalFilename.lastIndexOf('.')); if (fileType.equals(".xls")) { Workbook workbook = new HSSFWorkbook(file.getInputStream()); @@ -50,6 +54,10 @@ public class UploadFileServiceImpl implements UploadFileService } else { String originalFilename = file.getOriginalFilename(); + //对文件名进行安全过滤 + if ( originalFilename.contains("..") || originalFilename.contains("/") || originalFilename.contains("\\")) { + throw new IOException(); + } String fileType = originalFilename.substring(originalFilename.lastIndexOf('.')); if (fileType.equals(".txt") || fileType.equals(".csv")) { CSVFormat format = CSVFormat.DEFAULT.withHeader(); -- Gitee