修复远程文件文件名带有穿越漏洞的BUG

2024-03-27 08:55:28 +08:00
parent 59315c3200
commit b65a04857c
2 changed files with 9 additions and 2 deletions
--- a/server/src/main/java/cn/keking/utils/WebUtils.java
+++ b/server/src/main/java/cn/keking/utils/WebUtils.java
@ -79,7 +79,9 @@ public class WebUtils {
            urlStr = clearFullfilenameParam(urlStr);
        } else {
            fullFileName = getFileNameFromURL(urlStr); //获取文件名
-
+        }
+        if (KkFileUtils.isIllegalFileName(fullFileName)) { //判断文件名是否带有穿越漏洞
+            return null;
        }
        if (!UrlEncoderUtils.hasUrlEncoded(fullFileName)) {  //判断文件名是否转义
            try {