优化上传扩展名的配置;增加上传文件代码注入检测;

This commit is contained in:
2022-10-29 11:12:22 +08:00
parent de688caa74
commit fa635ba3ac
3 changed files with 31 additions and 10 deletions

View File

@@ -6,7 +6,7 @@
<div class="layui-input-block layuimini-upload">
<input name="head_img" class="layui-input layui-col-xs6" lay-verify="required" lay-reqtext="请上传文件" placeholder="请上传文件" value="">
<div class="layuimini-upload-btn">
<span><a class="layui-btn" data-upload="head_img" data-upload-number="*" data-upload-exts="*"><i class="fa fa-upload"></i> 上传文件</a></span>
<span><a class="layui-btn" data-upload="head_img" data-upload-number="*" data-upload-exts=""><i class="fa fa-upload"></i> 上传文件</a></span>
</div>
</div>
</div>

View File

@@ -4,6 +4,7 @@ namespace app\common\service;
use app\admin\model\SystemUploadfile;
use app\common\tools\PathTools;
use think\exception\ValidateException;
use think\facade\App;
use think\facade\Filesystem;
use think\facade\Validate;
@@ -24,7 +25,7 @@ class UploadService
$this->uploadType = $upload_type;
}
public function validate($file, $allow_ext = null, $allow_size = null, $fail_exception = false)
public function validate(File $file, $allow_ext = null, $allow_size = null, $fail_exception = false)
{
$uploadConfig = sysconfig('upload');
@@ -41,10 +42,28 @@ class UploadService
'file|文件' => "require|file|fileExt:{$uploadConfig['upload_allow_ext']}|fileSize:{$uploadConfig['upload_allow_size']}",
];
return Validate::failException($fail_exception)->check([
$validat_result = Validate::failException($fail_exception)->check([
'upload_type' => $this->uploadType,
'file' => $file
], $rule);
if (!$validat_result) {
return $validat_result;
}
// 出于性能原因,您可以注释掉下面的代码
$file_path = $file->getRealPath();
if (strpos(file_get_contents($file_path), '<?php') !== false) {
if ($fail_exception) {
throw new ValidateException("文件含有PHP注入代码");
} else {
return '文件含有PHP注入代码';
}
}
return true;
}
public function validateException($file, $allow_ext = null, $allow_size = null)

View File

@@ -63,15 +63,17 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
'file': []
}
var allExtGroup = [];
for (const extGroupName in extGroup) {
if (Object.hasOwnProperty.call(extGroup, extGroupName)) {
const extGroupList = extGroup[extGroupName];
if (init.upload_exts.length > 0) {
init.upload_exts += '|';
}
init.upload_exts += extGroupList.join('|')
allExtGroup = allExtGroup.concat(extGroupList)
}
}
init.upload_exts += allExtGroup.join('|')
var admin = {
config: {
@@ -1963,7 +1965,7 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
if (uploadList.length > 0) {
$.each(uploadList, function (i, v) {
var uploadExts = $(this).attr('data-upload-exts') || init.upload_exts,
var uploadExts = $(this).attr('data-upload-exts'),
uploadName = $(this).attr('data-upload'),
uploadNumber = $(this).attr('data-upload-number') || 'one',
uploadSign = $(this).attr('data-upload-sign') || '|',
@@ -1975,9 +1977,9 @@ define(["jquery", "tableSelect", "ckeditor", 'miniTheme', 'tableData', 'citypick
if (uploadExts == '*') {
uploadExts = init.upload_exts;
}else if(uploadExts.charAt(0) == '*'){
} else if (uploadExts.charAt(0) == '*') {
var extGroupName = uploadExts.slice(1);
if(extGroup[extGroupName]){
if (extGroup[extGroupName]) {
uploadExts = extGroup[extGroupName].join('|');
}
}