filesite
/
machete
1
1
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

improve dir/filename check

master
filesite 2 years ago
parent
3323ba81d5
commit
b4812f467e
3 changed files with 28 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 31
      controller/ApiController.php
  2. 1
      lib/DirScanner.php
  3. 4
      www/css/manual.css

31
controller/ApiController.php
Unescape View File

@ -56,6 +56,22 @@ Class ApiController extends Controller {
return $valid; return $valid;
} }
//判断文件名是否合法,不能为空以及不能包含空白字符
protected function isFilenameValid($filename) {
$notAllowedLetters = array(
'"',
"'",
'/',
"\\",
';',
);
if (empty($filename) || preg_match('/\s/', $filename) || str_replace($notAllowedLetters, '', $filename) != $filename) {
return false;
}
return true;
}
//目录、文件列表 //目录、文件列表
public function actionLs() { public function actionLs() {
$code = 0; $code = 0;
@ -133,8 +149,8 @@ Class ApiController extends Controller {
if (empty($newDir) || mb_strlen($newDir, 'utf-8') > $maxDirLen) { if (empty($newDir) || mb_strlen($newDir, 'utf-8') > $maxDirLen) {
$err = "目录名不能为空且最长 {$maxDirLen} 个字符"; $err = "目录名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (strpos($newDir, '/') !== false) { }else if (!$this->isFilenameValid($newDir)) {
$err = "待创建的目录名称中不能包含斜杠字符!"; $err = "待创建的目录名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
} }
@ -273,8 +289,8 @@ Class ApiController extends Controller {
if (empty($fromDir) || mb_strlen($fromDir, 'utf-8') > $maxDirLen || empty($toDir) || mb_strlen($toDir, 'utf-8') > $maxDirLen) { if (empty($fromDir) || mb_strlen($fromDir, 'utf-8') > $maxDirLen || empty($toDir) || mb_strlen($toDir, 'utf-8') > $maxDirLen) {
$err = "目录名不能为空且最长 {$maxDirLen} 个字符"; $err = "目录名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data')); return $this->renderJson(compact('code', 'msg', 'err', 'data'));
}else if (strpos($fromDir, '/') !== false || strpos($toDir, '/') !== false) { }else if (!$this->isFilenameValid($fromDir) || !$this->isFilenameValid($toDir)) {
$err = "目录名称中不能包含斜杠字符!"; $err = "目录名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
} }
@ -322,8 +338,8 @@ Class ApiController extends Controller {
if (empty($delFile) || mb_strlen($delFile, 'utf-8') > $maxDirLen) { if (empty($delFile) || mb_strlen($delFile, 'utf-8') > $maxDirLen) {
$err = "文件名不能为空且最长 {$maxDirLen} 个字符"; $err = "文件名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (strpos($delFile, '/') !== false) { }else if (!$this->isFilenameValid($delFile)) {
$err = "待删除的文件名称中不能包含斜杠字符!"; $err = "待删除的文件名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
} }
@ -558,6 +574,9 @@ Class ApiController extends Controller {
if (empty($upfile) || empty($filename)) { if (empty($upfile) || empty($filename)) {
$err = '所有参数都不能为空!'; $err = '所有参数都不能为空!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (!$this->isFilenameValid($filename)) {
$err = '文件名不能包含空格、单双引号、斜杠和分号字符!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (!preg_match('/^data:[a-z0-9]+\/[a-z0-9]+;base64,/i', $upfile)) { }else if (!preg_match('/^data:[a-z0-9]+\/[a-z0-9]+;base64,/i', $upfile)) {
$err = '图片数据必需为base64格式!'; $err = '图片数据必需为base64格式!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']); return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);

1
lib/DirScanner.php
Unescape View File

@ -162,6 +162,7 @@ Class DirScanner {
//获取路径中的最后一个目录名,支持中文 //获取路径中的最后一个目录名,支持中文
private function basename($realpath) { private function basename($realpath) {
$realpath = preg_replace('/\/$/', '', $realpath);
$arr = explode('/', $realpath); $arr = explode('/', $realpath);
if (count($arr) < 2) {return $realpath;} if (count($arr) < 2) {return $realpath;}

4
www/css/manual.css
Unescape View File

@ -18,8 +18,8 @@
@media (max-width: 640px) { @media (max-width: 640px) {
.header{position: static} .header{position: static}
.indexes{position:static;width:auto;padding-bottom:0.5em;margin-bottom:0.5em;margin-top: 0} .indexes{position:static;width:auto;padding-bottom:0.5em;margin-bottom:0.5em;margin-top: 0}
.indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em} .indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em;margin-top:1em}
.indexes h1 a{color:inherit} .indexes h1 a{color:inherit}
.content{margin-left:0;margin-top:0} .content{margin-left:0;margin-top:0}
.content h1{display:none} .content h1{display:none}
} }

Write Preview
Loading…
Cancel
Save