路径遍历

2025-12-10 11:26:50 +08:00 · 2024-08-26 17:00:10 +08:00
parent 776e1e6cbc
commit bea6d680e9
8 changed files with 42 additions and 2 deletions
--- a/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/converter/ExcelToPdfConverter.java
@@ -66,6 +66,10 @@ public class ExcelToPdfConverter implements ICourseFileConverter {

    @Override
    public String convert(String fileType, String filePath)  throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
        if (this.getLicense()) {
            FileOutputStream fileOS=null;
            String previewPath = null;
--- a/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/converter/PPTToPdfConverter.java
@@ -65,6 +65,10 @@ public class PPTToPdfConverter implements ICourseFileConverter {

    @Override
    public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
        if (this.getLicense()) {
            InputStream slides=null;
            Presentation pres=null;
--- a/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/converter/WordToPdfConverter.java
@@ -69,6 +69,10 @@ public class WordToPdfConverter implements ICourseFileConverter {

    @Override
    public String convert(String fileType, String filePath) throws Exception{
+        if (filePath.contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
        if (this.getLicense()) {
            File pdfFile=null;
            FileOutputStream fileOS=null;
--- a/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
+++ b/servers/boe-server-all/src/main/java/com/xboe/module/course/api/CourseFileApi.java
@@ -227,6 +227,10 @@ public class CourseFileApi extends ApiBaseController {
        	return badRequest("请先选择资源归属");
        }

+        if (file.getFilePath().contains("..")) {
+            throw new SecurityException("输入路径包含不安全的字符");
+        }
+
        // 重设文件类型为小写
        file.setFileType(file.getFileType().toLowerCase());

@@ -395,8 +399,15 @@ public class CourseFileApi extends ApiBaseController {
 			//return badRequest("参数错误");
 			return;
 		}
-		
-		String cfPath=null;
+
+        if (cf.contains("..")) {
+            log.error("参数错误");
+//            throw new SecurityException("输入路径包含不安全的字符");
+            return;
+        }
+
+
+        String cfPath=null;
 		String fileName ="";
 		if(StringUtils.isNotBlank(cf)) {
 			cfPath=cf;