From 30f0118ae5eefb12d99d3b2e05afab1e7a350e5b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E9=9F=A9=E6=98=95=E7=9D=BF?= <22371298@buaa.edu.cn>
Date: Fri, 9 May 2025 21:24:41 +0800
Subject: [PATCH] =?UTF-8?q?[fix]:=20=E9=99=90=E5=88=B6=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E6=96=87=E7=8C=AE=E4=B8=BApdf?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/api/v1/endpoints/article.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/api/v1/endpoints/article.py b/app/api/v1/endpoints/article.py
index 555db81..a6e92a6 100644
--- a/app/api/v1/endpoints/article.py
+++ b/app/api/v1/endpoints/article.py
@@ -18,7 +18,12 @@
 
 @router.post("/uploadToSelfFolder", response_model="dict")
 async def upload_to_self_folder(folder_id: int = Query(...), article: UploadFile = File(...), db: AsyncSession = Depends(get_db)):
-    # 由前端保证上传的为 PDF
+    # 检查上传的必须为 PDF
+    head = await article.read(5)                    # 读取文件的前 5 个字节，用于魔数检测
+    if not head.startswith(b"%PDF-"):
+        raise HTTPException(status_code=405, detail="File uploaded must be a PDF.")
+    await article.seek(0)                           # 重置文件指针位置
+
     # 用文件名（不带扩展名）作为 Article 名称
     name = os.path.splitext(article.filename)[0]