在上传和下载的时候,容易被攻击,主要是因为有../ ./ * ? 等非法字符,因此需要对路径进行过滤,直接上代码:
private final static Map<String, String> pathCharWhiteList = new HashMap<String, String>();
static{
//路径字符白名单
String pathCharWhiteListResources = "abcdefghijklmnopqrstuvwxyz_123457890ABCDEFGHIJKLMNOPQRSTUVWXYZ./\\";
if (StringUtils.hasLength(pathCharWhiteListResources)) {
for (int i = 0; i < pathCharWhiteListResources.length(); i++) {
String c = String.valueOf(pathCharWhiteListResources.charAt(i));
pathCharWhiteList.put(c,c);
}
}
}
/**
* 过滤../ ./
* @param filePath
* @return
*/
public static String validFilePath(String filePath) {
String temp = "";
for (int i = 0; i < filePath.length(); i++) {
String curStr = String.valueOf(filePath.charAt(i));
String nextStr = null;
try {
nextStr = String.valueOf(filePath.charAt(i + 1));
} catch (Exception e) {}
String curListStr = pathCharWhiteList.get(curStr);
if (curListStr != null && curStr == "\\") {
String sysFileSeparator = File.separator;
if (null != sysFileSeparator && sysFileSeparator.equals(curStr)) {
temp += curStr;
}
}else if(curListStr != null && (!".".equals(curStr))) {
temp += curStr;
} else if (curListStr!= null && (".".equals(curStr)) &&(!".".equals(nextStr)) && (!"\\".equals(nextStr)) && (!"/".equals(nextStr))) {//过滤../ ./
temp += curStr;
}
}
filePath = temp;
return filePath;
}
public static void main(String[] args) {
String str = ".././1111/kksdf/sdfsdf123.lll";
String str1 = validFilePath(str);
}
更多推荐
FORTIFY安全漏洞:路径过滤非法字符
发布评论