Skip to content
Permalink
Browse files Browse the repository at this point in the history
fix[litemall-wx-api]: 修复文件路径中包含"../"带来的安全问题
  • Loading branch information
linlinjava committed Oct 16, 2018
1 parent 3313051 commit 49ab94d
Showing 1 changed file with 11 additions and 4 deletions.
Expand Up @@ -58,14 +58,17 @@ public Object upload(@RequestParam("file") MultipartFile file) throws IOExceptio
public ResponseEntity<Resource> fetch(@PathVariable String key) {
LitemallStorage litemallStorage = litemallStorageService.findByKey(key);
if (key == null) {
ResponseEntity.notFound();
return ResponseEntity.notFound().build();
}
if(key.contains("../")){
return ResponseEntity.badRequest().build();
}
String type = litemallStorage.getType();
MediaType mediaType = MediaType.parseMediaType(type);

Resource file = storageService.loadAsResource(key);
if (file == null) {
ResponseEntity.notFound();
return ResponseEntity.notFound().build();
}
return ResponseEntity.ok().contentType(mediaType).body(file);
}
Expand All @@ -74,14 +77,18 @@ public ResponseEntity<Resource> fetch(@PathVariable String key) {
public ResponseEntity<Resource> download(@PathVariable String key) {
LitemallStorage litemallStorage = litemallStorageService.findByKey(key);
if (key == null) {
ResponseEntity.notFound();
return ResponseEntity.notFound().build();
}
if(key.contains("../")){
return ResponseEntity.badRequest().build();
}

String type = litemallStorage.getType();
MediaType mediaType = MediaType.parseMediaType(type);

Resource file = storageService.loadAsResource(key);
if (file == null) {
ResponseEntity.notFound();
return ResponseEntity.notFound().build();
}
return ResponseEntity.ok().contentType(mediaType).header(HttpHeaders.CONTENT_DISPOSITION,
"attachment; filename=\"" + file.getFilename() + "\"").body(file);
Expand Down

0 comments on commit 49ab94d

Please sign in to comment.