public String singleFileUpload( MultipartFile file, RedirectAttributes redirectAttributes) {try {byte[] bytes = file.getBytes();Path dir = Paths.get(UPLOADED_FOLDER);Path path = Paths.get(UPLOADED_FOLDER + file.getOriginalFilename());Files.write(path, bytes);redirectAttributes.addFlashAttribute("message","上传文件成功:" + path + "");} catch (Exception e) {return e.toString();}return "redirect:upload_status";}
public String singleFileUploadSafe(("file") MultipartFile file,RedirectAttributes redirectAttributes) {try {byte[] bytes = file.getBytes();String fileName = file.getOriginalFilename();Path dir = Paths.get(UPLOADED_FOLDER);Path path = Paths.get(UPLOADED_FOLDER + file.getOriginalFilename());// 获取文件后缀名String Suffix = fileName.substring(fileName.lastIndexOf("."));String[] SuffixSafe = {".jpg", ".png", ".jpeg", ".gif", ".bmp", ".ico"};boolean flag = false;for (String s : SuffixSafe) {if (Suffix.toLowerCase().equals(s)) {flag = true;break;}}if (!flag) {return "只允许上传图片,[.jpg, .png, .jpeg, .gif, .bmp, .ico]";}
-
必须在服务器端采用白名单方式对上传或下载的文件类型、大小进行严格的限制。
-
仅允许业务所需文件类型上传,避免上传.jsp、.jspx、.html、.exe等文件。
https://github.com/j3ers3/Hello-Java-Sec原文始发于微信公众号(Reset安全):Java代码审计:文件上传
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论