fix: 加强图片校验,防止恶意代码通过合成到图片上传到服务器中引起的攻击行为

This commit is contained in:
wangjiahao 2023-09-13 18:20:55 +08:00
parent 64726f1388
commit 8265130531
3 changed files with 8 additions and 3 deletions

View File

@ -24,6 +24,8 @@ import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* Author: wangjiahao
@ -65,9 +67,12 @@ public class StaticResourceService {
LogUtil.error(e.getMessage(), e);
return false;
}
if (image == null || image.getWidth() <= 0 || image.getHeight() <= 0) {
Pattern pattern = Pattern.compile("\\.(png|jpg|jpeg|gif)$");
Matcher matcher = pattern.matcher(file.getOriginalFilename().toLowerCase());
if (image == null || image.getWidth() <= 0 || image.getHeight() <= 0 || !matcher.find()) {
return false;
}
return true;
}

View File

@ -110,7 +110,7 @@
<el-col style="width: 130px!important;">
<el-upload
action=""
accept=".jpeg,.jpg,.png,.gif,.svg"
accept=".jpeg,.jpg,.png,.gif"
class="avatar-uploader"
list-type="picture-card"
:class="{disabled:uploadDisabled}"

View File

@ -86,7 +86,7 @@
<el-col style="width: 148px!important;height: 148px!important;overflow: hidden">
<el-upload
action=""
accept=".jpeg,.jpg,.png,.gif,.svg"
accept=".jpeg,.jpg,.png,.gif"
class="avatar-uploader"
list-type="picture-card"
:class="{disabled:uploadDisabled}"