open-source/file-online-preview
1
0
Fork 0
mirror of https://gitee.com/kekingcn/file-online-preview.git synced 2026-06-15 10:27:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden listFiles and addTask validation

Browse Source
This commit is contained in:
kl
2026-06-11 10:16:34 +08:00
parent 1568b3023d
commit c6df85be1b
6 changed files with 96 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java
View File

@@ -8,6 +8,8 @@ import cn.keking.service.FilePreviewFactory;
import cn.keking.service.cache.CacheService;
import cn.keking.service.impl.OtherFilePreviewImpl;
import cn.keking.utils.*;
import cn.keking.web.filter.TrustDirFilter;
import cn.keking.web.filter.TrustHostFilter;
import fr.opensagres.xdocreport.core.io.IOUtils;
import org.apache.commons.codec.binary.Base64;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
@@ -231,6 +233,11 @@ public class OnlinePreviewController {
logger.info("{}url{}", errorMsg, fileUrls);
return errorMsg;
}
if (!TrustHostFilter.isTrustedSourceUrl(fileUrls) || !TrustDirFilter.isTrustedFileUrl(fileUrls)) {
String errorMsg = "访问不合法:来源地址不受信任!";
logger.info("{}url{}", errorMsg, fileUrls);
return errorMsg;
}
logger.info("添加转码队列url{}", fileUrls);
cacheService.addQueueTask(fileUrls);
return "success";