Skip to content

Commit

Permalink
file upload bug
Browse files Browse the repository at this point in the history
  • Loading branch information
star7th committed Mar 14, 2022
1 parent e5d5759 commit 237ac6d
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 5 deletions.
Expand Up @@ -79,7 +79,9 @@ public function uploadImg(){
return false;
}

if(D("Attachment")->isDangerFilename($_FILES['editormd-image-file']['name'])){
if(!D("Attachment")->isAllowedFilename($_FILES['editormd-image-file']['name'])){
$message = "不支持上传该文件类型。如有需要请联系网站管理员" ;
echo json_encode(array("message"=>$message,"success"=>0));
return false;
}

Expand Down Expand Up @@ -109,8 +111,8 @@ public function attachmentUpload(){
return false;
}

if(D("Attachment")->isDangerFilename($uploadFile['name'])){
$this->sendError(10100,'不支持此文件类型');
if(!D("Attachment")->isAllowedFilename($uploadFile['name'])){
$this->sendError(10101,'不支持上传该文件类型。如有需要请联系网站管理员');
return false;
}

Expand Down
23 changes: 21 additions & 2 deletions server/Application/Api/Model/AttachmentModel.class.php
Expand Up @@ -57,7 +57,7 @@ public function deleteFile($file_id){
public function upload($_files , $file_key , $uid , $item_id = 0 , $page_id = 0 ){
$uploadFile = $_files[$file_key] ;

if($this->isDangerFilename($uploadFile['name'])){
if( !$this->isAllowedFilename($_files[$file_key]['name']) ){
return false;
}

Expand Down Expand Up @@ -288,6 +288,7 @@ public function getQiuniuEndpointByKey($key,$bucket){
}

// 判断文件名是否包含危险的扩展名
// 准备弃用。因为一个个ban太麻烦了。准备改用白名单机制
public function isDangerFilename($filename){

$isDangerStr = function ($filename , $keyword){
Expand Down Expand Up @@ -319,6 +320,24 @@ public function isDangerFilename($filename){
return false;
}


// 判断上传的文件扩展名是否处于白名单内
public function isAllowedFilename($filename){
$allow_array = array(
'.jpg','.jpeg','.png','.bmp','.gif','.ico','.webp',
'.mp3','.wav','.m4a','.ogg','.webma','.mp4','.flv',
'.mov','.webmv','.m3u8a','.flac','.mkv',
'.zip','.tar','.gz','.tgz','.ipa','.apk','.rar','.iso','.bz2','.epub',
'.pdf','.ofd','.swf','.epub','.xps',
'.doc','.docx','.odt','.rtf','.docm','.dotm','.dot','.dotx','.wps','.wpt',
'.ppt','.pptx','.xls','.xlsx','.txt','.md','.psd','.csv',
'.cer','.ppt','.pub','.properties','.json','.css',
) ;

$ext = strtolower(substr($filename,strripos($filename,'.')) ); //获取文件扩展名(转为小写后)
if(in_array( $ext , $allow_array ) ){
return true ;
}
return false;
}

}

0 comments on commit 237ac6d

Please sign in to comment.