From f8ca27209594d67dd766c8a58d7842364147d6bf Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期四, 18 九月 2025 17:18:45 +0800
Subject: [PATCH] 修改安全漏洞
---
management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java | 18 +++++++++++++++---
management/guns-admin/src/main/webapp/static/js/common/web-upload-object.js | 8 ++++++--
management/guns-admin/src/main/webapp/static/js/common/web-upload-image.js | 8 ++++++--
3 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
index 237fb5f..ccc8887 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
@@ -77,7 +77,11 @@
MultipartFile file = (MultipartFile) multipartRequest.getFile("myfile");
QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
if (file.getSize() != 0) {
- String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(file.getOriginalFilename());
+ String fileSuffix = ToolUtil.getFileSuffix(file.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ throw new RuntimeException("请上传png/jpg的图片文件");
+ }
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
String bucketName = qianYunTongConfig1.getBucketName();
Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
if (null == grjyTest) {
@@ -117,7 +121,11 @@
@ResponseBody
public String image(@RequestPart("file") MultipartFile picture, HttpServletRequest request) {
try {
- String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ return "请上传png/jpg的图片文件";
+ }
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
String bucketName = qianYunTongConfig1.getBucketName();
System.err.println("bucketName:"+bucketName);
@@ -183,8 +191,12 @@
public String imageUp(@RequestPart("upfile") MultipartFile picture, HttpServletRequest request) {
String callback = request.getParameter("callback");
try {
+ String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+ throw new RuntimeException("请上传png/jpg的图片文件");
+ }
// 上传文件目录
- String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(picture.getOriginalFilename());
+ String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
String bucketName = qianYunTongConfig1.getBucketName();
Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
diff --git a/management/guns-admin/src/main/webapp/static/js/common/web-upload-image.js b/management/guns-admin/src/main/webapp/static/js/common/web-upload-image.js
index 6356e46..8e72a3e 100644
--- a/management/guns-admin/src/main/webapp/static/js/common/web-upload-image.js
+++ b/management/guns-admin/src/main/webapp/static/js/common/web-upload-image.js
@@ -82,8 +82,12 @@
// 文件上传成功,给item添加成功class, 用样式标记上传成功。
bindedObj.on('uploadSuccess', function(file,response) {
- Feng.success("上传成功");
- $("#" + me.pictureId).val(response);
+ if(null != response && response.indexOf("http") != -1){
+ Feng.success("上传成功");
+ $("#" + me.pictureId).val(response);
+ }else{
+ Feng.error(response);
+ }
});
// 文件上传失败,显示上传出错。
diff --git a/management/guns-admin/src/main/webapp/static/js/common/web-upload-object.js b/management/guns-admin/src/main/webapp/static/js/common/web-upload-object.js
index 1130036..76650e6 100644
--- a/management/guns-admin/src/main/webapp/static/js/common/web-upload-object.js
+++ b/management/guns-admin/src/main/webapp/static/js/common/web-upload-object.js
@@ -84,8 +84,12 @@
// 文件上传成功,给item添加成功class, 用样式标记上传成功。
bindedObj.on('uploadSuccess', function(file,response) {
- Feng.success("上传成功");
- $("#" + me.pictureId).val(response);
+ if(null != response && response.indexOf("http") != -1){
+ Feng.success("上传成功");
+ $("#" + me.pictureId).val(response);
+ }else{
+ Feng.error(response);
+ }
});
// 文件上传失败,显示上传出错。
--
Gitblit v1.7.1