From f7a6c0dfd508eeeef3a1724b6dfe4c7f983397cb Mon Sep 17 00:00:00 2001
From: manailin <261030956@qq.com>
Date: 星期二, 21 六月 2022 17:46:55 +0800
Subject: [PATCH] [修改]修复文件类型上传漏洞

---
 springcloud_k8s_panzhihuazhihuishequ/grid_app/src/main/java/com/panzhihua/grid_app/api/CommonApi.java |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/springcloud_k8s_panzhihuazhihuishequ/grid_app/src/main/java/com/panzhihua/grid_app/api/CommonApi.java b/springcloud_k8s_panzhihuazhihuishequ/grid_app/src/main/java/com/panzhihua/grid_app/api/CommonApi.java
index bddb531..2fbd308 100644
--- a/springcloud_k8s_panzhihuazhihuishequ/grid_app/src/main/java/com/panzhihua/grid_app/api/CommonApi.java
+++ b/springcloud_k8s_panzhihuazhihuishequ/grid_app/src/main/java/com/panzhihua/grid_app/api/CommonApi.java
@@ -12,6 +12,7 @@
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 
+import com.panzhihua.common.utlis.MimeTypeUtils;
 import com.panzhihua.grid_app.config.MinioUtil;
 import org.apache.commons.io.FilenameUtils;
 import org.springframework.beans.factory.annotation.Value;
@@ -26,6 +27,8 @@
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
+
+import static com.panzhihua.common.utlis.FileTypeUploadUtils.assertAllowed;
 
 /**
  * @program: springcloud_k8s_panzhihuazhihuishequ
@@ -117,6 +120,7 @@
     @PostMapping(value = "/uploadimages", consumes = "multipart/*", headers = "content-type=multipart/form-date")
     public R uploadImages(@RequestParam MultipartFile file, HttpServletRequest request) {
         try {
+            assertAllowed(file, MimeTypeUtils.DEFAULT_ALLOWED_EXTENSION);
             String extension = FilenameUtils.getExtension(file.getOriginalFilename());
             String name = UUID.randomUUID().toString().replaceAll("-", "") + "." + extension;
             String imageUrl = minioUtil.upload(file, name);

--
Gitblit v1.7.1