diff --git a/servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java b/servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java index 84f47abb..453d59bb 100644 --- a/servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java +++ b/servers/boe-server-all/src/main/java/com/xboe/system/api/SysUploaderApi.java @@ -16,6 +16,7 @@ import javax.servlet.http.HttpServletResponse; import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.beans.factory.annotation.Value; import org.springframework.web.bind.annotation.RequestMapping; import org.springframework.web.bind.annotation.RequestMethod; import org.springframework.web.bind.annotation.RestController; @@ -43,6 +44,9 @@ public class SysUploaderApi extends ApiBaseController{ @Autowired XFileUploader uploader; + + @Value(value = "${boe.domain}") + String domain; private static Set fileTypeSet=new HashSet<>(); static { @@ -149,7 +153,8 @@ public class SysUploaderApi extends ApiBaseController{ @RequestMapping(value = "/url/download", method = RequestMethod.GET) public void urlDownload(HttpServletResponse res,String urlStr,String fileName) throws IOException { - URL url = new URL(urlStr); + URL url = new URL(urlStr); + downloadLimitation(url); HttpURLConnection conn = (HttpURLConnection)url.openConnection(); //设置超时间为3秒 conn.setConnectTimeout(3*1000); @@ -193,4 +198,19 @@ public class SysUploaderApi extends ApiBaseController{ //System.out.println("success"); } + private void downloadLimitation(URL url) { + String allowedDomain = domain; + String allowedPathPrefix = "/upload/xfile/"; + + // 检查域名是否正确 + if (!url.getHost().equals(allowedDomain)) { + throw new SecurityException("Download from this domain is not allowed."); + } + + // 检查路径是否以允许的路径前缀开始 + if (!url.getPath().startsWith(allowedPathPrefix)) { + throw new SecurityException("Download from this path is not allowed."); + } + } + }