Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

File upload bypass exists #69

Closed
yazi7 opened this issue Dec 28, 2021 · 0 comments
Closed

File upload bypass exists #69

yazi7 opened this issue Dec 28, 2021 · 0 comments

Comments

@yazi7
Copy link

yazi7 commented Dec 28, 2021

In this code, the verification suffix should verify the file type after the last point:
public final String allowSuffix = ".bmp.jpg.jpeg.png.gif.pdf.doc.zip.rar.gz";

/**
 * 上传文件
 *
 * @param file
 * @return
 * @throws IOException
 */
@RequestMapping(value = "/img", method = RequestMethod.POST)
public JsonResult uploadFile(@RequestParam("file") MultipartFile file) {

    //1.文件后缀过滤,只允许部分后缀
    //文件的完整名称,如spring.jpeg
    String filename = file.getOriginalFilename();
    //文件名,如spring
    String name = filename.substring(0, filename.indexOf("."));
    //文件后缀,如.jpeg
    String suffix = filename.substring(filename.lastIndexOf("."));

    if (allowSuffix.indexOf(suffix) == -1) {
        return new JsonResult().fail("不允许上传该后缀的文件!");
    }

example:
1640676827(1)
image

@saysky saysky closed this as completed Feb 17, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants