mirror of
https://gitee.com/ulthon/ulthon_admin.git
synced 2026-07-01 15:32:48 +08:00
优化上传扩展名的配置;增加上传文件代码注入检测;
This commit is contained in:
@@ -6,7 +6,7 @@
|
||||
<div class="layui-input-block layuimini-upload">
|
||||
<input name="head_img" class="layui-input layui-col-xs6" lay-verify="required" lay-reqtext="请上传文件" placeholder="请上传文件" value="">
|
||||
<div class="layuimini-upload-btn">
|
||||
<span><a class="layui-btn" data-upload="head_img" data-upload-number="*" data-upload-exts="*"><i class="fa fa-upload"></i> 上传文件</a></span>
|
||||
<span><a class="layui-btn" data-upload="head_img" data-upload-number="*" data-upload-exts=""><i class="fa fa-upload"></i> 上传文件</a></span>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@@ -4,6 +4,7 @@ namespace app\common\service;
|
||||
|
||||
use app\admin\model\SystemUploadfile;
|
||||
use app\common\tools\PathTools;
|
||||
use think\exception\ValidateException;
|
||||
use think\facade\App;
|
||||
use think\facade\Filesystem;
|
||||
use think\facade\Validate;
|
||||
@@ -24,7 +25,7 @@ class UploadService
|
||||
$this->uploadType = $upload_type;
|
||||
}
|
||||
|
||||
public function validate($file, $allow_ext = null, $allow_size = null, $fail_exception = false)
|
||||
public function validate(File $file, $allow_ext = null, $allow_size = null, $fail_exception = false)
|
||||
{
|
||||
$uploadConfig = sysconfig('upload');
|
||||
|
||||
@@ -41,10 +42,28 @@ class UploadService
|
||||
'file|文件' => "require|file|fileExt:{$uploadConfig['upload_allow_ext']}|fileSize:{$uploadConfig['upload_allow_size']}",
|
||||
];
|
||||
|
||||
return Validate::failException($fail_exception)->check([
|
||||
$validat_result = Validate::failException($fail_exception)->check([
|
||||
'upload_type' => $this->uploadType,
|
||||
'file' => $file
|
||||
], $rule);
|
||||
|
||||
if (!$validat_result) {
|
||||
return $validat_result;
|
||||
}
|
||||
|
||||
|
||||
// 出于性能原因,您可以注释掉下面的代码
|
||||
$file_path = $file->getRealPath();
|
||||
|
||||
if (strpos(file_get_contents($file_path), '<?php') !== false) {
|
||||
if ($fail_exception) {
|
||||
throw new ValidateException("文件含有PHP注入代码");
|
||||
} else {
|
||||
return '文件含有PHP注入代码';
|
||||
}
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
public function validateException($file, $allow_ext = null, $allow_size = null)
|
||||
|
||||
@@ -63,15 +63,17 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
|
||||
'file': []
|
||||
}
|
||||
|
||||
var allExtGroup = [];
|
||||
|
||||
for (const extGroupName in extGroup) {
|
||||
if (Object.hasOwnProperty.call(extGroup, extGroupName)) {
|
||||
const extGroupList = extGroup[extGroupName];
|
||||
if (init.upload_exts.length > 0) {
|
||||
init.upload_exts += '|';
|
||||
}
|
||||
init.upload_exts += extGroupList.join('|')
|
||||
|
||||
allExtGroup = allExtGroup.concat(extGroupList)
|
||||
|
||||
}
|
||||
}
|
||||
init.upload_exts += allExtGroup.join('|')
|
||||
|
||||
var admin = {
|
||||
config: {
|
||||
@@ -1963,7 +1965,7 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
|
||||
|
||||
if (uploadList.length > 0) {
|
||||
$.each(uploadList, function (i, v) {
|
||||
var uploadExts = $(this).attr('data-upload-exts') || init.upload_exts,
|
||||
var uploadExts = $(this).attr('data-upload-exts'),
|
||||
uploadName = $(this).attr('data-upload'),
|
||||
uploadNumber = $(this).attr('data-upload-number') || 'one',
|
||||
uploadSign = $(this).attr('data-upload-sign') || '|',
|
||||
@@ -1975,9 +1977,9 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
|
||||
|
||||
if (uploadExts == '*') {
|
||||
uploadExts = init.upload_exts;
|
||||
}else if(uploadExts.charAt(0) == '*'){
|
||||
} else if (uploadExts.charAt(0) == '*') {
|
||||
var extGroupName = uploadExts.slice(1);
|
||||
if(extGroup[extGroupName]){
|
||||
if (extGroup[extGroupName]) {
|
||||
uploadExts = extGroup[extGroupName].join('|');
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user