Merge branch 'master' into master

2021-11-30 17:53:24 +08:00
parent b1aab27338 0a5fc1e4a8
commit 7b2adc3979
270 changed files with 90418 additions and 84704 deletions
--- a/server/src/main/java/cn/keking/config/ConfigConstants.java
+++ b/server/src/main/java/cn/keking/config/ConfigConstants.java
@ -33,6 +33,7 @@ public class ConfigConstants {
    private static String ftpControlEncoding;
    private static String baseUrl;
    private static String fileDir = ConfigUtils.getHomePath() + File.separator + "file" + File.separator;
+    private static String localPreviewDir;
    private static CopyOnWriteArraySet<String> trustHostSet;
    private static String pdfPresentationModeDisable;
    private static String pdfOpenFileDisable;
@ -51,6 +52,7 @@ public class ConfigConstants {
    public static final String DEFAULT_FTP_CONTROL_ENCODING = "UTF-8";
    public static final String DEFAULT_BASE_URL = "default";
    public static final String DEFAULT_FILE_DIR_VALUE = "default";
+    public static final String DEFAULT_LOCAL_PREVIEW_DIR_VALUE = "default";
    public static final String DEFAULT_TRUST_HOST = "default";
    public static final String DEFAULT_PDF_PRESENTATION_MODE_DISABLE = "true";
    public static final String DEFAULT_PDF_OPEN_FILE_DISABLE = "true";
@ -211,6 +213,24 @@ public class ConfigConstants {
        }
    }

+    public static String getLocalPreviewDir() {
+        return localPreviewDir;
+    }
+
+    @Value("${local.preview.dir:default}")
+    public void setLocalPreviewDir(String localPreviewDir) {
+        setLocalPreviewDirValue(localPreviewDir);
+    }
+
+    public static void setLocalPreviewDirValue(String localPreviewDir) {
+        if (!DEFAULT_LOCAL_PREVIEW_DIR_VALUE.equals(localPreviewDir)) {
+            if (!localPreviewDir.endsWith(File.separator)) {
+                localPreviewDir = localPreviewDir + File.separator;
+            }
+        }
+        ConfigConstants.localPreviewDir = localPreviewDir;
+    }
+
    @Value("${trust.host:default}")
    public void setTrustHost(String trustHost) {
        setTrustHostValue(trustHost);
--- a/server/src/main/java/cn/keking/utils/DownloadUtils.java
+++ b/server/src/main/java/cn/keking/utils/DownloadUtils.java
@ -32,7 +32,7 @@ public class DownloadUtils {
     * @return 本地文件绝对路径
     */
    public static ReturnResponse<String> downLoad(FileAttribute fileAttribute, String fileName) {
-        String urlStr = fileAttribute.getUrl();
+        String urlStr = fileAttribute.getUrl().replaceAll("\\+", "%20");
        ReturnResponse<String> response = new ReturnResponse<>(0, "下载成功!!!", "");
        String realPath = DownloadUtils.getRelFilePath(fileName, fileAttribute);
        try {
--- a/server/src/main/java/cn/keking/utils/WebUtils.java
+++ b/server/src/main/java/cn/keking/utils/WebUtils.java
@ -81,6 +81,14 @@ public class WebUtils {
     * @return 文件名
     */
    public static String getFileNameFromURL(String url) {
+        if (url.toLowerCase().startsWith("file:")) {
+            try {
+                URL urlObj = new URL(url);
+                url = urlObj.getPath().substring(1);
+            } catch (MalformedURLException e) {
+                e.printStackTrace();
+            }
+        }
        // 因为url的参数中可能会存在/的情况，所以直接url.lastIndexOf("/")会有问题
        // 所以先从？处将url截断，然后运用url.lastIndexOf("/")获取文件名
        String noQueryUrl = url.substring(0, url.contains("?") ? url.indexOf("?") : url.length());
--- a/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
+++ b/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
@ -1,5 +1,6 @@
 package cn.keking.web.controller;

+import cn.keking.config.ConfigConstants;
 import cn.keking.model.FileAttribute;
 import cn.keking.service.FilePreview;
 import cn.keking.service.FilePreviewFactory;
@ -12,6 +13,7 @@ import fr.opensagres.xdocreport.core.io.IOUtils;
 import io.mola.galimatias.GalimatiasParseException;
 import jodd.io.NetUtil;
 import org.apache.commons.codec.binary.Base64;
+import org.artofsolving.jodconverter.util.PlatformUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.stereotype.Controller;
@ -25,9 +27,11 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.io.*;
 import java.net.URL;
+import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;

 import static cn.keking.service.FilePreview.PICTURE_FILE_PREVIEW_PAGE;

@ -61,6 +65,9 @@ public class OnlinePreviewController {
            String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
            return otherFilePreview.notSupportedFile(model, errorMsg);
        }
+        if (!allowPreview(fileUrl)) {
+            return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + fileUrl);
+        }
        FileAttribute fileAttribute = fileHandlerService.getFileAttribute(fileUrl, req);
        model.addAttribute("file", fileAttribute);
        FilePreview filePreview = previewFactory.get(fileAttribute);
@ -86,8 +93,14 @@ public class OnlinePreviewController {
        String currentUrl = req.getParameter("currentUrl");
        if (StringUtils.hasText(currentUrl)) {
            String decodedCurrentUrl = new String(Base64.decodeBase64(currentUrl));
+            if (!allowPreview(decodedCurrentUrl)) {
+                return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + decodedCurrentUrl);
+            }
            model.addAttribute("currentUrl", decodedCurrentUrl);
        } else {
+            if (!allowPreview(imgUrls.get(0))) {
+                return otherFilePreview.notSupportedFile(model, "该文件不允许预览：" + imgUrls.get(0));
+            }
            model.addAttribute("currentUrl", imgUrls.get(0));
        }
        return PICTURE_FILE_PREVIEW_PAGE;
@ -105,6 +118,12 @@ public class OnlinePreviewController {
        logger.info("下载跨域pdf文件url：{}", urlPath);
        try {
            URL url = WebUtils.normalizedURL(urlPath);
+            if (!allowPreview(urlPath)) {
+                response.setHeader("content-type", "text/html;charset=utf-8");
+                response.getOutputStream().println("forbidden");
+                response.setStatus(401);
+                return;
+            }
            byte[] bytes = NetUtil.downloadBytes(url.toString());
            IOUtils.write(bytes, response.getOutputStream());
        } catch (IOException | GalimatiasParseException e) {
@ -125,4 +144,24 @@ public class OnlinePreviewController {
        return "success";
    }

+    private boolean allowPreview(String urlPath) {
+        try {
+            URL url = WebUtils.normalizedURL(urlPath);
+            if ("file".equals(url.getProtocol().toLowerCase(Locale.ROOT))) {
+                String filePath = URLDecoder.decode(url.getPath(), StandardCharsets.UTF_8.name());
+                if (PlatformUtils.isWindows()) {
+                    filePath = filePath.replaceAll("/", "\\\\");
+                }
+                filePath = filePath.substring(1);
+                if (!filePath.startsWith(ConfigConstants.getFileDir()) && !filePath.startsWith(ConfigConstants.getLocalPreviewDir())) {
+                    return false;
+                }
+            }
+            return true;
+        } catch (IOException | GalimatiasParseException e) {
+            logger.error("解析URL异常，url：{}", urlPath, e);
+            return false;
+        }
+    }
+
 }