上传文件漏洞
1,在上传图片的时候,有些图片可能是木马文件,后缀改成了图片的后缀名。。。需要判断文件流,是否是图片
@WebServlet("/load/UploadServlet")
public class UploadServlet extends HttpServlet {
/**
* 文件上传
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) {
String root = request.getServletContext().getRealPath("/upload");
DiskFileItemFactory factory = new DiskFileItemFactory();
ServletFileUpload upload = new ServletFileUpload(factory);
try {
List<FileItem> list = upload.parseRequest(request);
for (FileItem it : list) {
// 如果是file文件类型
if (!it.isFormField()) {
// FileType fileType = getFileType(it.getInputStream());
// if (fileType == null) {
// // 非图片格式
// response.getWriter().write("fail");
// return;
// }
// String imgValue = fileType.getValue();
// System.out.println("imgValue:" + imgValue);
// 是图片格式
it.write(new File(root + "/" + it.getName()));
response.getWriter().write("success");
}
}
} catch (Exception e) {
try {
response.getWriter().write("exception");
} catch (IOException e1) {
e1.printStackTrace();
}
e.printStackTrace();
}
}
// 判断文件是图片格式
public static FileType getFileType(InputStream is) throws IOException {
byte[] src = new byte[28];
is.read(src, 0, 28);
StringBuilder stringBuilder = new StringBuilder("");
if (src == null || src.length <= 0) {
return null;
}
for (int i = 0; i < src.length; i++) {
int v = src[i] & 0xFF;
String hv = Integer.toHexString(v).toUpperCase();
if (hv.length() < 2) {
stringBuilder.append(0);
}
stringBuilder.append(hv);
}
FileType[] fileTypes = FileType.values();
for (FileType fileType : fileTypes) {
if (stringBuilder.toString().startsWith(fileType.getValue())) {
return fileType;
}
}
return null;
}
}
Aimer,c'est partager
