From 628450ded3b738f62f68bc2f7cb90804331eb201 Mon Sep 17 00:00:00 2001
From: Pu Zhibing <393733352@qq.com>
Date: 星期二, 18 二月 2025 15:10:59 +0800
Subject: [PATCH] 修复上传文件漏洞
---
ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java | 11 +++++++++++
1 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
index 5ad844e..5178dc2 100644
--- a/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
+++ b/ruoyi-service/ruoyi-account/src/main/java/com/ruoyi/account/controller/TAppUserController.java
@@ -52,6 +52,7 @@
import io.swagger.annotations.ApiOperation;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
import org.springframework.validation.annotation.Validated;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.client.RestTemplate;
@@ -63,6 +64,7 @@
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.util.*;
+import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
/**
@@ -120,6 +122,9 @@
private TAppUserCarService carService;
@Resource
private IntegralRuleClient integralRuleClient;
+
+ @Resource
+ private RedisTemplate redisTemplate;
@Resource
@@ -715,6 +720,12 @@
@GetMapping(value = "/user/set/avatar")
public R avatar(String url) {
Long userId = tokenService.getLoginUserApplet().getUserId();
+ String fileName = redisTemplate.opsForValue().get("file:" + userId).toString();
+ String substring = url.substring(url.lastIndexOf("/") + 1);
+ if(StringUtils.isEmpty(fileName) || fileName.equals(substring)){
+ return R.fail("请重新上传头像");
+ }
+
TAppUser byId = appUserService.getById(userId);
byId.setAvatar(url);
appUserService.updateById(byId);
--
Gitblit v1.7.1