From b4812f467e151266604f1b66bfdf63cfbdc75adc Mon Sep 17 00:00:00 2001 From: filesite Date: Mon, 24 Oct 2022 20:08:09 +0800 Subject: [PATCH] improve dir/filename check --- controller/ApiController.php | 31 +++++++++++++++++++++++++------ lib/DirScanner.php | 1 + www/css/manual.css | 4 ++-- 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/controller/ApiController.php b/controller/ApiController.php index 7edcb49..8091286 100644 --- a/controller/ApiController.php +++ b/controller/ApiController.php @@ -56,6 +56,22 @@ Class ApiController extends Controller { return $valid; } + //判断文件名是否合法,不能为空以及不能包含空白字符 + protected function isFilenameValid($filename) { + $notAllowedLetters = array( + '"', + "'", + '/', + "\\", + ';', + ); + if (empty($filename) || preg_match('/\s/', $filename) || str_replace($notAllowedLetters, '', $filename) != $filename) { + return false; + } + + return true; + } + //目录、文件列表 public function actionLs() { $code = 0; @@ -133,8 +149,8 @@ Class ApiController extends Controller { if (empty($newDir) || mb_strlen($newDir, 'utf-8') > $maxDirLen) { $err = "目录名不能为空且最长 {$maxDirLen} 个字符"; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); - }else if (strpos($newDir, '/') !== false) { - $err = "待创建的目录名称中不能包含斜杠字符!"; + }else if (!$this->isFilenameValid($newDir)) { + $err = "待创建的目录名称中不能包含空格、单双引号、斜杠和分号字符!"; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); } @@ -273,8 +289,8 @@ Class ApiController extends Controller { if (empty($fromDir) || mb_strlen($fromDir, 'utf-8') > $maxDirLen || empty($toDir) || mb_strlen($toDir, 'utf-8') > $maxDirLen) { $err = "目录名不能为空且最长 {$maxDirLen} 个字符"; return $this->renderJson(compact('code', 'msg', 'err', 'data')); - }else if (strpos($fromDir, '/') !== false || strpos($toDir, '/') !== false) { - $err = "目录名称中不能包含斜杠字符!"; + }else if (!$this->isFilenameValid($fromDir) || !$this->isFilenameValid($toDir)) { + $err = "目录名称中不能包含空格、单双引号、斜杠和分号字符!"; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); } @@ -322,8 +338,8 @@ Class ApiController extends Controller { if (empty($delFile) || mb_strlen($delFile, 'utf-8') > $maxDirLen) { $err = "文件名不能为空且最长 {$maxDirLen} 个字符"; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); - }else if (strpos($delFile, '/') !== false) { - $err = "待删除的文件名称中不能包含斜杠字符!"; + }else if (!$this->isFilenameValid($delFile)) { + $err = "待删除的文件名称中不能包含空格、单双引号、斜杠和分号字符!"; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); } @@ -558,6 +574,9 @@ Class ApiController extends Controller { if (empty($upfile) || empty($filename)) { $err = '所有参数都不能为空!'; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); + }else if (!$this->isFilenameValid($filename)) { + $err = '文件名不能包含空格、单双引号、斜杠和分号字符!'; + return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); }else if (!preg_match('/^data:[a-z0-9]+\/[a-z0-9]+;base64,/i', $upfile)) { $err = '图片数据必需为base64格式!'; return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); diff --git a/lib/DirScanner.php b/lib/DirScanner.php index 82115c0..2eb6ddf 100644 --- a/lib/DirScanner.php +++ b/lib/DirScanner.php @@ -162,6 +162,7 @@ Class DirScanner { //获取路径中的最后一个目录名,支持中文 private function basename($realpath) { + $realpath = preg_replace('/\/$/', '', $realpath); $arr = explode('/', $realpath); if (count($arr) < 2) {return $realpath;} diff --git a/www/css/manual.css b/www/css/manual.css index 027ba0e..75bd1cc 100644 --- a/www/css/manual.css +++ b/www/css/manual.css @@ -18,8 +18,8 @@ @media (max-width: 640px) { .header{position: static} .indexes{position:static;width:auto;padding-bottom:0.5em;margin-bottom:0.5em;margin-top: 0} - .indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em} + .indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em;margin-top:1em} .indexes h1 a{color:inherit} .content{margin-left:0;margin-top:0} .content h1{display:none} -} \ No newline at end of file +}