GithubHelp home page GithubHelp logo

Comments (1)

martinzhou2015 avatar martinzhou2015 commented on May 14, 2024

感谢贡献!同事讨论后觉得,如下方案会更简洁一些。

  1. 【建议】如果文件保存在文件服务器映射的目录(或者专门的文件管理目录),则不必对文件后缀名做控制,只要确保无法跨目录即可

  2. 如果文件保存在web容器的可执行目录,在确保无法跨目录的前提下,还必须对文件类型进行控制。禁止对.jsp、.jspx、.class、.java、.jar、.war、.xml、.js、.html、.shtml、.vbs等类型文件进行操作。最好结合业务采用白名单限制:

    • 图片类型:.jpg、.jpeg、.png、.gif、.bmp
    • 文档类型:.doc、.docx、.ppt、.pptx、.xls、.xlsx、.pdf

    可以通过以下方式限制文件类型:

@RequestMapping("/path/delete")
public void safe_delete(HttpServletRequest request) {
    /*
    *  防护方法:判断用户输入的文件后缀名是否在白名单中,是的话执行下一步操作
    */
    String webRootPath = request.getSession().getServletContext().getRealPath("/");
    String fileName = request.getParameter("name");
    if(fileName.contains("..")) {
        return;
    }
    int pos = fileName.lastIndexOf(".");
    String ext = fileName.substring(pos);
    String whiteExt = ".jpg.jpeg.png.gif.bmp";   // 文件类型白名单,根据具体情况而定
    if(whiteExt.contains(ext)) {
        new File(webRootPath + fileName).delete();
    }
}

如有不同考虑,欢迎重开问题讨论,我们将有专人跟进。

from secguide.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.