Upload File Vulnerability

Others 2019-07-30 06:40:17 views: null

1, when uploading pictures, some pictures may be the Trojan horse file, change the suffix extension of the picture. . . You need to determine the file stream, whether it is pictures

@WebServlet("/load/UploadServlet")
public class UploadServlet extends HttpServlet {

    /**
     * File Upload
     */
    protected void doPost(HttpServletRequest request, HttpServletResponse response) {
        String root = request.getServletContext().getRealPath("/upload");
        DiskFileItemFactory factory = new DiskFileItemFactory();
        ServletFileUpload upload = new ServletFileUpload(factory);
        try {
            List<FileItem> list = upload.parseRequest(request);
            for (FileItem it : list) {
                // 如果是file文件类型
                if (!it.isFormField()) {
                    // FileType fileType = getFileType(it.getInputStream());
                    // if (fileType == null) {
                    // // 非图片格式
                    // response.getWriter().write("fail");
                    // return;
                    // }
//                    String imgValue = fileType.getValue();
//                    System.out.println("imgValue:" + imgValue);
                    // 是图片格式
                    it.write(new File(root + "/" + it.getName()));
                    response.getWriter().write("success");

                }
            }
        } catch (Exception e) {
            try {
                response.getWriter().write("exception");
            } catch (IOException e1) {
                e1.printStackTrace ();
            }
            e.printStackTrace ();
        }
    }

    // whether a file is a picture format 
    public  static the FileType getFileType (the InputStream IS) throws IOException {
         byte [] the src = new new  byte [28 ];
        is.read(src, 0, 28);
        StringBuilder stringBuilder = new StringBuilder("");
        if (src == null || src.length <= 0) {
            return null;
        }
        for (int i = 0; i < src.length; i++) {
            int v = src[i] & 0xFF;
            String hv = Integer.toHexString(v).toUpperCase();
            if (hv.length() < 2) {
                stringBuilder.append(0);
            }
            stringBuilder.append(hv);
        }
        FileType[] fileTypes = FileType.values();
        for (FileType fileType : fileTypes) {
            if (stringBuilder.toString().startsWith(fileType.getValue())) {
                return fileType;
            }
        }
        return null;
    }

}

 

Guess you like

Origin www.cnblogs.com/pickKnow/p/11266743.html
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com