diff --git a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java index f38b7c01..2845d0ab 100644 --- a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java +++ b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ContentPackageGenerator.java @@ -119,6 +119,10 @@ public class ContentPackageGenerator { private String scormPkgDir; public ContentPackage generateContentPackageFromFile(String scormPkgDir) { + if (scormPkgDir.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + if (scormPkgDir == null) { log.error("scorm package directory is null"); return contentPackage; diff --git a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java index 1854c3eb..db79e6d8 100644 --- a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java +++ b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/FileUtils.java @@ -44,6 +44,10 @@ public class FileUtils { } public static File createFile(String dstPath, String fileName) throws IOException { + if (dstPath.contains("..") || fileName.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + String[] dirs = fileName.split("/"); File file = new File(dstPath); diff --git a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java index fd77210c..3dccd162 100644 --- a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java +++ b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/SCORMPackageManager.java @@ -119,6 +119,11 @@ public class SCORMPackageManager { return null; } + if (packagePath.contains("..")) { +// throw new SecurityException("输入路径包含不安全的字符"); + return null; + } + // step 1: uncompress File f=new File(packagePath); if(!f.exists()) { diff --git a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java index 076b3735..bb6ed85a 100644 --- a/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java +++ b/modules/boe-module-scorm/src/main/java/com/xboe/module/scorm/cam/load/ZipUtils.java @@ -60,6 +60,10 @@ public class ZipUtils { } public static boolean decompressZip(String zipFilePath, String saveFileDir) { + if (saveFileDir.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + if (!isEndWithZip(zipFilePath)) { return false; } diff --git a/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java b/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java index f2051e65..06a2f3a0 100644 --- a/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java +++ b/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java @@ -66,6 +66,10 @@ public class ExcelToPdfConverter implements ICourseFileConverter { @Override public String convert(String fileType, String filePath) throws Exception{ + if (filePath.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + if (this.getLicense()) { FileOutputStream fileOS=null; String previewPath = null; diff --git a/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java b/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java index aa3f01cc..183a0468 100644 --- a/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java +++ b/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java @@ -65,6 +65,10 @@ public class PPTToPdfConverter implements ICourseFileConverter { @Override public String convert(String fileType, String filePath) throws Exception{ + if (filePath.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + if (this.getLicense()) { InputStream slides=null; Presentation pres=null; diff --git a/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java b/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java index e173ecfa..cfdfc0a6 100644 --- a/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java +++ b/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java @@ -69,6 +69,10 @@ public class WordToPdfConverter implements ICourseFileConverter { @Override public String convert(String fileType, String filePath) throws Exception{ + if (filePath.contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + if (this.getLicense()) { File pdfFile=null; FileOutputStream fileOS=null; diff --git a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java index 9f40cdae..df26a55f 100644 --- a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java +++ b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java @@ -227,6 +227,10 @@ public class CourseFileApi extends ApiBaseController { return badRequest("请先选择资源归属"); } + if (file.getFilePath().contains("..")) { + throw new SecurityException("输入路径包含不安全的字符"); + } + // 重设文件类型为小写 file.setFileType(file.getFileType().toLowerCase()); @@ -395,8 +399,15 @@ public class CourseFileApi extends ApiBaseController { //return badRequest("参数错误"); return; } - - String cfPath=null; + + if (cf.contains("..")) { + log.error("参数错误"); +// throw new SecurityException("输入路径包含不安全的字符"); + return; + } + + + String cfPath=null; String fileName =""; if(StringUtils.isNotBlank(cf)) { cfPath=cf;