From f8ca27209594d67dd766c8a58d7842364147d6bf Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期四, 18 九月 2025 17:18:45 +0800
Subject: [PATCH] 修改安全漏洞

---
 management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
index 237fb5f..ccc8887 100644
--- a/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
+++ b/management/guns-admin/src/main/java/com/stylefeng/guns/modular/system/controller/util/UploadUtil.java
@@ -77,7 +77,11 @@
             MultipartFile file = (MultipartFile) multipartRequest.getFile("myfile");
             QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
             if (file.getSize() != 0) {
-                String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(file.getOriginalFilename());
+                String fileSuffix = ToolUtil.getFileSuffix(file.getOriginalFilename());
+                if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+                    throw new RuntimeException("请上传png/jpg的图片文件");
+                }
+                String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
                 String bucketName = qianYunTongConfig1.getBucketName();
                 Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);
                 if (null == grjyTest) {
@@ -117,7 +121,11 @@
     @ResponseBody
     public String image(@RequestPart("file") MultipartFile picture, HttpServletRequest request) {
         try {
-            String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(picture.getOriginalFilename());
+            String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+            if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+                return "请上传png/jpg的图片文件";
+            }
+            String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
             QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
             String bucketName = qianYunTongConfig1.getBucketName();
             System.err.println("bucketName："+bucketName);
@@ -183,8 +191,12 @@
     public String imageUp(@RequestPart("upfile") MultipartFile picture, HttpServletRequest request) {
         String callback = request.getParameter("callback");
         try {
+            String fileSuffix = ToolUtil.getFileSuffix(picture.getOriginalFilename());
+            if(!fileSuffix.contains("png") && !fileSuffix.contains("jpg")){
+                throw new RuntimeException("请上传png/jpg的图片文件");
+            }
             // 上传文件目录
-            String pictureName = UUID.randomUUID().toString() + "." + ToolUtil.getFileSuffix(picture.getOriginalFilename());
+            String pictureName = UUID.randomUUID().toString() + "." + fileSuffix;
             QianYunTongConfig qianYunTongConfig1 = qianYunTongConfig.getQianYunTongConfig();
             String bucketName = qianYunTongConfig1.getBucketName();
             Bucket grjyTest = NCOSSUtil.getBucketInfo(bucketName);

--
Gitblit v1.7.1