public/dataease
1
0
Fork 0
mirror of https://github.com/dataease/dataease.git synced 2026-06-12 16:31:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: 路径穿越

Browse Source
This commit is contained in:
tjlygdx
2026-06-10 11:25:14 +08:00
parent 33d91a42ce
commit 3f614e2cfc
1 changed files with 11 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
core/core-backend/src/main/java/io/dataease/font/manage/FontManage.java
View File

@@ -163,12 +163,9 @@ public class FontManage {
private FontDto saveFile(MultipartFile file, String fileNameUUID) throws DEException {
FontDto fontDto = new FontDto();
try {
String filename = file.getOriginalFilename();
FileUtils.validateUploadFilename(filename);
if (StringUtils.isEmpty(filename) || !filename.toLowerCase().endsWith(TTF_EXTENSION)) {
DEException.throwException("非法格式的文件!");
}
UploadedFont uploadedFont = validateAndReadUploadedFont(file);
validateUploadedFontFilename(file.getOriginalFilename());
byte[] fileBytes = file.getBytes();
UploadedFont uploadedFont = validateAndReadUploadedFont(fileBytes);
String fileTransName = fileNameUUID + TTF_EXTENSION;
Path filePath = resolveFontPath(fileTransName);
Files.write(filePath, uploadedFont.bytes(), StandardOpenOption.CREATE_NEW, StandardOpenOption.WRITE);
@@ -197,8 +194,14 @@ public class FontManage {
return fontDto;
}
private UploadedFont validateAndReadUploadedFont(MultipartFile file) throws Exception {
byte[] fileBytes = file.getBytes();
private void validateUploadedFontFilename(String filename) {
FileUtils.validateUploadFilename(filename);
if (StringUtils.isEmpty(filename) || !filename.toLowerCase().endsWith(TTF_EXTENSION)) {
DEException.throwException("非法格式的文件!");
}
}
private UploadedFont validateAndReadUploadedFont(byte[] fileBytes) throws Exception {
if (fileBytes.length == 0) {
DEException.throwException("非法格式的文件!");
}