From f7a6c0dfd508eeeef3a1724b6dfe4c7f983397cb Mon Sep 17 00:00:00 2001
From: manailin <261030956@qq.com>
Date: 星期二, 21 六月 2022 17:46:55 +0800
Subject: [PATCH] [修改]修复文件类型上传漏洞

---
 springcloud_k8s_panzhihuazhihuishequ/applets/src/main/java/com/panzhihua/applets/api/CommonApi.java |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/springcloud_k8s_panzhihuazhihuishequ/applets/src/main/java/com/panzhihua/applets/api/CommonApi.java b/springcloud_k8s_panzhihuazhihuishequ/applets/src/main/java/com/panzhihua/applets/api/CommonApi.java
index b6c0204..f465af5 100644
--- a/springcloud_k8s_panzhihuazhihuishequ/applets/src/main/java/com/panzhihua/applets/api/CommonApi.java
+++ b/springcloud_k8s_panzhihuazhihuishequ/applets/src/main/java/com/panzhihua/applets/api/CommonApi.java
@@ -15,6 +15,7 @@
 
 import com.panzhihua.applets.config.MinioUtil;
 import com.panzhihua.common.controller.BaseController;
+import com.panzhihua.common.utlis.MimeTypeUtils;
 import net.coobird.thumbnailator.Thumbnails;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.RandomUtils;
@@ -41,6 +42,8 @@
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
+
+import static com.panzhihua.common.utlis.FileTypeUploadUtils.assertAllowed;
 
 /**
  * @program: springcloud_k8s_panzhihuazhihuishequ
@@ -153,6 +156,7 @@
     @PostMapping(value = "/uploadimages", consumes = "multipart/*", headers = "content-type=multipart/form-date")
     public R uploadImages(@RequestParam MultipartFile file, HttpServletRequest request) {
         try {
+            assertAllowed(file, MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION);
             String extension = FilenameUtils.getExtension(file.getOriginalFilename());
             String name = UUID.randomUUID().toString().replaceAll("-", "") + "." + extension;
             String imageUrl = minioUtil.upload(file, name);
@@ -167,6 +171,7 @@
     @PostMapping(value = "/uploadimagescompress", consumes = "multipart/*", headers = "content-type=multipart/form-date")
     public R uploadImagesComPress(@RequestParam MultipartFile file, HttpServletRequest request) {
         try {
+            assertAllowed(file, MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION);
             String extension = FilenameUtils.getExtension(file.getOriginalFilename());
             String uuid=UUID.randomUUID().toString().replaceAll("-", "");
             String name = uuid  + "."+ extension;

--
Gitblit v1.7.1