Browse Source

improve dir/filename check

master
filesite 2 years ago
parent
commit
b4812f467e
  1. 31
      controller/ApiController.php
  2. 1
      lib/DirScanner.php
  3. 2
      www/css/manual.css

31
controller/ApiController.php

@ -56,6 +56,22 @@ Class ApiController extends Controller { @@ -56,6 +56,22 @@ Class ApiController extends Controller {
return $valid;
}
//判断文件名是否合法,不能为空以及不能包含空白字符
protected function isFilenameValid($filename) {
$notAllowedLetters = array(
'"',
"'",
'/',
"\\",
';',
);
if (empty($filename) || preg_match('/\s/', $filename) || str_replace($notAllowedLetters, '', $filename) != $filename) {
return false;
}
return true;
}
//目录、文件列表
public function actionLs() {
$code = 0;
@ -133,8 +149,8 @@ Class ApiController extends Controller { @@ -133,8 +149,8 @@ Class ApiController extends Controller {
if (empty($newDir) || mb_strlen($newDir, 'utf-8') > $maxDirLen) {
$err = "目录名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (strpos($newDir, '/') !== false) {
$err = "待创建的目录名称中不能包含斜杠字符!";
}else if (!$this->isFilenameValid($newDir)) {
$err = "待创建的目录名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}
@ -273,8 +289,8 @@ Class ApiController extends Controller { @@ -273,8 +289,8 @@ Class ApiController extends Controller {
if (empty($fromDir) || mb_strlen($fromDir, 'utf-8') > $maxDirLen || empty($toDir) || mb_strlen($toDir, 'utf-8') > $maxDirLen) {
$err = "目录名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data'));
}else if (strpos($fromDir, '/') !== false || strpos($toDir, '/') !== false) {
$err = "目录名称中不能包含斜杠字符!";
}else if (!$this->isFilenameValid($fromDir) || !$this->isFilenameValid($toDir)) {
$err = "目录名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}
@ -322,8 +338,8 @@ Class ApiController extends Controller { @@ -322,8 +338,8 @@ Class ApiController extends Controller {
if (empty($delFile) || mb_strlen($delFile, 'utf-8') > $maxDirLen) {
$err = "文件名不能为空且最长 {$maxDirLen} 个字符";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (strpos($delFile, '/') !== false) {
$err = "待删除的文件名称中不能包含斜杠字符!";
}else if (!$this->isFilenameValid($delFile)) {
$err = "待删除的文件名称中不能包含空格、单双引号、斜杠和分号字符!";
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}
@ -558,6 +574,9 @@ Class ApiController extends Controller { @@ -558,6 +574,9 @@ Class ApiController extends Controller {
if (empty($upfile) || empty($filename)) {
$err = '所有参数都不能为空!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (!$this->isFilenameValid($filename)) {
$err = '文件名不能包含空格、单双引号、斜杠和分号字符!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);
}else if (!preg_match('/^data:[a-z0-9]+\/[a-z0-9]+;base64,/i', $upfile)) {
$err = '图片数据必需为base64格式!';
return $this->renderJson(compact('code', 'msg', 'err', 'data'), $this->httpStatus['notAllowed']);

1
lib/DirScanner.php

@ -162,6 +162,7 @@ Class DirScanner { @@ -162,6 +162,7 @@ Class DirScanner {
//获取路径中的最后一个目录名,支持中文
private function basename($realpath) {
$realpath = preg_replace('/\/$/', '', $realpath);
$arr = explode('/', $realpath);
if (count($arr) < 2) {return $realpath;}

2
www/css/manual.css

@ -18,7 +18,7 @@ @@ -18,7 +18,7 @@
@media (max-width: 640px) {
.header{position: static}
.indexes{position:static;width:auto;padding-bottom:0.5em;margin-bottom:0.5em;margin-top: 0}
.indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em}
.indexes h1{display:block;padding-left:0;padding-bottom:0.3em;text-align:center;font-size:1.3em;margin-top:1em}
.indexes h1 a{color:inherit}
.content{margin-left:0;margin-top:0}
.content h1{display:none}

Loading…
Cancel
Save