解决任意文件上传、水平越权

aba4478b · zhouzhigang · d0f45381 · aba4478b · aba4478b
--- a/com.zrqx.fg.member/src/main/java/com/zrqx/bg/member/service/teacher/FgTeacherServiceImpl.java
+++ b/com.zrqx.fg.member/src/main/java/com/zrqx/bg/member/service/teacher/FgTeacherServiceImpl.java
@@ -52,6 +52,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.web.multipart.MultipartFile;
 import tk.mybatis.mapper.entity.Example;
+import zipkin2.Call;

 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -175,6 +176,13 @@ public class FgTeacherServiceImpl extends BaseModelServiceImpl<Member,Integer> i
 	}
 	@Override
 	public boolean updateMember(FgMemberForm form) throws Exception {
+		//修改用户信息之前加一层校验，根据token验证用户身份
+		if(!redis.isExistMember()){
+			throw new BaseException(-3,"无操作权限");
+		}
+		if(redis.getMember().getId().intValue() != form.getId().intValue()){
+			throw new BaseException(-3,"无操作权限");
+		}
 		Member entity = teacherMapper.selectByPrimaryKey(form.getId());
 		// md5密码加密
 		if (StringUtils.isNotEmpty(form.getPassword())) {

--- a/com.zrqx.file/src/main/java/com/zrqx/file/service/impl/FileServiceImpl.java
+++ b/com.zrqx.file/src/main/java/com/zrqx/file/service/impl/FileServiceImpl.java
 package com.zrqx.file.service.impl;

+import com.zrqx.core.exception.BaseException;
 import it.sauronsoftware.jave.Encoder;
 import it.sauronsoftware.jave.EncodingAttributes;
 import it.sauronsoftware.jave.MultimediaInfo;
@@ -12,6 +13,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.zip.ZipEntry;
@@ -69,6 +71,9 @@ public class FileServiceImpl extends BaseServiceImpl<FileInfo, String> implement
 	@Value("${file.upload.picture.compression.quality}")
 	private float quality;

+	private List<String> FILE_TYPE = Arrays.asList(".png", ".jpg",
+			".bmp", ".jpeg", ".gif", ".zip", ".rar", ".mp4", ".mp3");
+
 	@Override
 	public FileInfo uploadFile(MultipartFile file) {
 		String contentType = file.getContentType();
@@ -76,9 +81,13 @@ public class FileServiceImpl extends BaseServiceImpl<FileInfo, String> implement
 		String fileName = file.getOriginalFilename();
 		// 获取文件的后缀名
 		String suffixName = fileName.substring(fileName.lastIndexOf("."));
+		final String suf = suffixName;
 		// 解决中文问题，liunx下中文路径，图片显示问题
 		String uuid = UUIDUtil.getUUID();
-
+		boolean bl = FILE_TYPE.stream().anyMatch(str -> str.equalsIgnoreCase(suf));
+		if (!bl) {
+			throw new BaseException("上传失败，请检查上传文件类型");
+		}
 		SimpleDateFormat sdf = new SimpleDateFormat("yyyy/MM/dd");
 		String path = sdf.format(new Date());
 		String filePath = rootPath + path + "/";
@@ -271,7 +280,7 @@ public class FileServiceImpl extends BaseServiceImpl<FileInfo, String> implement
 	
 	/**
 	 * 获取视频随机帧（图片存储路径与视频一致、名称为视频名称后加_cover）
-	 * @param file
+	 * @param
 	 * @return
 	 * @author lw
 	 * @date: 2019年4月10日 上午9:03:14