From 888e5504530ac9e77459bcca63cf323cd4cd137d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=AB=98=E9=9B=84?= <admin@cxcp.com>
Date: Mon, 10 Apr 2023 03:26:51 +0000
Subject: [PATCH] =?UTF-8?q?=E7=B2=BE=E7=AE=80=E5=8E=8B=E7=BC=A9=E5=8C=85?=
 =?UTF-8?q?=E8=A7=A3=E6=9E=90=E7=9A=84=E6=97=A0=E7=94=A8=E4=BB=A3=E7=A0=81?=
 =?UTF-8?q?=20=E7=B2=BE=E7=AE=80=E5=8E=8B=E7=BC=A9=E5=8C=85=E8=A7=A3?=
 =?UTF-8?q?=E6=9E=90=E7=9A=84=E6=97=A0=E7=94=A8=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: 高雄 <admin@cxcp.com>
---
 .../main/java/cn/keking/web/controller/FileController.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server/src/main/java/cn/keking/web/controller/FileController.java b/server/src/main/java/cn/keking/web/controller/FileController.java
index 549c6f0a..b9bb5f47 100644
--- a/server/src/main/java/cn/keking/web/controller/FileController.java
+++ b/server/src/main/java/cn/keking/web/controller/FileController.java
@@ -165,7 +165,10 @@ public class FileController {
             fileUrl = WebUtils.decodeUrl(urls);
         } catch (Exception ex) {
             String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "url");
-            return errorMsg;
+            return ReturnResponse.failure(errorMsg);
+        }
+        if (KkFileUtils.isIllegalFileName(fileUrl)) {
+            return ReturnResponse.failure("不允许访问的路径:");
         }
         return RarUtils.getTree(fileUrl);
     }