public String singleFileUpload( MultipartFile file, RedirectAttributes redirectAttributes) {try {byte[] bytes = file.getBytes();Path dir = Paths.get(UPLOADED_FOLDER);Path path = Paths.get(UPLOADED_FOLDER + file.getOriginalFilename());Files.write(path, bytes);redirectAttributes.addFlashAttribute("message","上传文件成功:" + path + "");} catch (Exception e) {return e.toString();}return "redirect:upload_status";}
public String singleFileUploadSafe(("file") MultipartFile file,RedirectAttributes redirectAttributes) {try {byte[] bytes = file.getBytes();String fileName = file.getOriginalFilename();Path dir = Paths.get(UPLOADED_FOLDER);Path path = Paths.get(UPLOADED_FOLDER + file.getOriginalFilename());// 获取文件后缀名String Suffix = fileName.substring(fileName.lastIndexOf("."));String[] SuffixSafe = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};boolean flag = false;for (String s : SuffixSafe) {if (Suffix.toLowerCase().equals(s)) {flag = true;break;}}if (!flag) {return "只允许上传图片,[.jpg, .png, .jpeg, .gif, .bmp, .ico]";}
-
必须在服务器端采用白名单方式对上传或下载的文件类型、大小进行严格的限制。
-
仅允许业务所需文件类型上传,避免上传.jsp、.jspx、.html、.exe等文件。
https://github.com/j3ers3/Hello-Java-Sec原文始发于微信公众号(Reset安全):Java代码审计:文件上传
特别标注:
本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
- 我的微信
- 微信扫一扫
-
- 我的微信公众号
- 微信扫一扫
-
评论