Explorar el Código

修复陕西渗透扫描

wuchangfu hace 1 año
padre
commit
da9cf62f5c

+ 7 - 4
src/main/java/com/palmnest/application/core/util/FileUploadUtils.java

@@ -3,10 +3,7 @@ package com.palmnest.application.core.util;
 import java.awt.Image;
 import java.awt.image.BufferedImage;
 import java.io.*;
-import java.util.Calendar;
-import java.util.Iterator;
-import java.util.List;
-import java.util.UUID;
+import java.util.*;
 
 import javax.annotation.PostConstruct;
 import javax.imageio.ImageIO;
@@ -43,6 +40,7 @@ public class FileUploadUtils {
 	private static String         ATTACHMENT_ROOT; // 文件存储父路径
 	private static String         VISIT_PREFIX        = PropertiesKit.readPropertiesValue("image_server", "wechat.properties"); // 前端访问路径
 	private        String         ATTACHMENT_ROOT_KEY = "attachment.root";
+	private static List<String> allow_upload_suffix = new ArrayList<>(Arrays.asList(".png", ".jpg", ".jpeg"));
 	private static PathGeneration pathGeneration;
 
 	private static final String CHARSET     = "utf-8";
@@ -219,6 +217,11 @@ public class FileUploadUtils {
 			return "";
 		}
 
+		ext = ext.toLowerCase();
+		if (!allow_upload_suffix.contains(ext)) {
+			LOG.info("不允许上传扩展名文件:" + ext);
+			return "";
+		}
 		String _ext = "";
 		if (StringUtils.isNotEmpty(ext)) {
 			_ext = ext.startsWith(".") ? ext : "." + ext;

+ 29 - 19
src/main/java/com/palmnest/webapp/controller/notice/WxNoticeController.java

@@ -142,29 +142,39 @@ public class WxNoticeController extends BaseFormController{
 		String openId=request.getParameter("openId");
 		String orgId=request.getParameter("orgId");
 		WxUser wxUser=scWxuserManager.getScWxuserByOpenId(openId);
-		if(StringUtils.isEmpty(pageNo)){
-			pageNo="1";
-		}
-		if(StringUtils.isEmpty(pageSize)){
-			pageSize="10";
-		}
-		HashMap<String, Object> map = new HashMap<String,Object>();
-		if(!StringUtils.isEmpty(state)){
-			map.put("state", state);
-		}
-		//优先传入的orgId参数,如果没有就通过openId拿orgId
-		if (StringUtils.isNotEmpty(orgId)) {
-			map.put("orgId", orgId);
-		}else{
-			if (wxUser != null && null != wxUser.getOrganizationId()) {
-				map.put("orgIds", wxUser.getOrganizationId());
+		try{
+			int i=0;
+			if(StringUtils.isEmpty(pageNo)){
+				pageNo="1";
+			}
+			if(StringUtils.isEmpty(pageSize)){
+				pageSize="10";
+			}
+			i = Integer.parseInt(pageSize);
+			i = Integer.parseInt(pageNo);
+
+			HashMap<String, Object> map = new HashMap<String,Object>();
+			if(!StringUtils.isEmpty(state)){
+				map.put("state", state);
+
+				i = Integer.parseInt(state);
+			}
+			//优先传入的orgId参数,如果没有就通过openId拿orgId
+			if (StringUtils.isNotEmpty(orgId)) {
+				map.put("orgId", orgId);
+				i = Integer.parseInt(orgId);
+			}else{
+				if (wxUser != null && null != wxUser.getOrganizationId()) {
+					map.put("orgIds", wxUser.getOrganizationId());
+				}else{
+					throw new Exception("参数不正确!");
+				}
 			}
-		}
 
 
 		map.put("type", 4);//微信首页列表
 		map.put("receiveType", 1);//只看全部的,不看部分的
-		try{
+
 			Page page=wxtemplateMessageManager.getDataList(map,Integer.parseInt(pageNo),Integer.parseInt(pageSize));
 
 			ArrayList<TempSaverList> resultList = new ArrayList<TempSaverList>();
@@ -216,7 +226,7 @@ public class WxNoticeController extends BaseFormController{
 		}catch(Exception e){
 			json.put("code", "1");
 			json.put("msg", "fail");
-			json.put("data", e.getMessage());
+			//json.put("data", e.getMessage());
 			StringUtil.charSet(json, request, response);
 			log.error(e.getMessage());
 			e.printStackTrace();