From 1482809b0fb5e75746365461f5bbe0a13bf05543 Mon Sep 17 00:00:00 2001
From: yang <1175@qq.com>
Date: Mon, 26 Aug 2024 16:56:32 +0800
Subject: [PATCH] =?UTF-8?q?HTTP=E5=93=8D=E5=BA=94=E6=88=AA=E6=96=AD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../main/java/com/xboe/module/course/api/CourseFileApi.java  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
index 9b6b6331..9f40cdae 100644
--- a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
@@ -436,6 +436,11 @@ public class CourseFileApi extends ApiBaseController {
             response.reset();
             //由于火狐和其他浏览器显示名称的方式不相同，需要进行不同的编码处理
             if (agent.indexOf("FIREFOX") != -1) {//火狐浏览器
+                // 检查文件名中是否包含不允许的字符
+                if (fileName.matches(".*[\n\r;%].*")) {
+                    throw new IllegalArgumentException("Filename contains illegal characters");
+                }
+
                 response.addHeader("Content-Disposition", "attachment;filename=" + new String(fileName.getBytes("GB2312"), "ISO-8859-1"));
             } else {//其他浏览器
                 response.addHeader("Content-Disposition", "attachment;filename=" + URLEncoder.encode(fileName, "UTF-8"));