diff --git a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
index 9b6b6331..9f40cdae 100644
--- a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
@@ -436,6 +436,11 @@ public class CourseFileApi extends ApiBaseController {
             response.reset();
             //由于火狐和其他浏览器显示名称的方式不相同，需要进行不同的编码处理
             if (agent.indexOf("FIREFOX") != -1) {//火狐浏览器
+                // 检查文件名中是否包含不允许的字符
+                if (fileName.matches(".*[\n\r;%].*")) {
+                    throw new IllegalArgumentException("Filename contains illegal characters");
+                }
+
                 response.addHeader("Content-Disposition", "attachment;filename=" + new String(fileName.getBytes("GB2312"), "ISO-8859-1"));
             } else {//其他浏览器
                 response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, "UTF-8"));