添加非wwwroot文件验证

2 years ago · 393da2db49
1 changed files with 30 additions and 14 deletions
--- a/24Hour/Controllers/Common/CommonController.cs
+++ b/24Hour/Controllers/Common/CommonController.cs
@ -1,6 +1,7 @@
 using AutoMapper;
 using com.sun.org.apache.xalan.@internal.xsltc.runtime;
 using com.sun.tools.@internal.xjc.api;
 using com.sun.xml.@internal.ws.developer;
 using Elight.Entity;
 using Elight.Entity.SystemModel;
 using Elight.Logic;
@ -13,14 +14,17 @@ using java.util;
 using javax.smartcardio;
 using javax.xml.crypto;
 using jdk.nashorn.@internal.ir;
 using MathNet.Numerics.LinearAlgebra;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using NPOI.SS.Formula.Functions;
 using Quartz.Logging;
 using SqlSugar;
 using sun.security.x509;
 using System.Drawing.Printing;
 using System.Security.AccessControl;
 using static com.sun.tools.@internal.xjc.reader.xmlschema.bindinfo.BIConversion;
 using static javax.jws.soap.SOAPBinding;
 using static sun.font.LayoutPathImpl;
 using User = Elight.Utility.User;
@ -2739,19 +2743,34 @@ namespace _24Hour.Controllers.Common
        #endregion
        #region 文件上传
        /// <summary>
        /// 通用文件下载接口
        /// </summary>
        /// <param name="filename"></param>
        /// <returns></returns>
        [HttpPost]
        [Route("RequestDownloadFile")]
        public IActionResult RequestDownloadFile(string filename) //[FromBody] dynamic Json
        {
-            var FileName = System.IO.Path.GetFileName(filename);
+            if (System.IO.File.Exists(filename))
-            var currentDate = DateTime.Now;
+            {
-
+                filename = filename.Replace(@"\\",@"\");
-            var FilePath = filename;
+                var data = System.IO.Path.Combine(Environment.CurrentDirectory, "wwwroot");
-
+                if (filename.Contains(data)==false)
-            return new FileStreamResult(new FileStream(FilePath, FileMode.Open), "application/octet-stream") { FileDownloadName = FileName };
+                {
                    return BadRequest();
                }
                var FileName = System.IO.Path.GetFileName(filename);
                var FilePath = filename;
                return new FileStreamResult(new FileStream(FilePath, FileMode.Open), "application/octet-stream") { FileDownloadName = FileName };
            }
            else
            {
                return BadRequest();
            }
        }
-        private string[] AllowedExtensions = new string[] { ".png", ".jpg", ".jpeg", ".bmp",".xlsx",".aks"};
+        private readonly string[] AllowedExtensions = new string[] { ".png", ".jpg", ".jpeg", ".bmp", ".xlsx", ".aks" };
        /// <summary>
        /// 文件上传--附件
        /// <param name="file"></param>
@ -2784,9 +2803,6 @@ namespace _24Hour.Controllers.Common
                        outParm.Message = "不被允许的文件格式!";
                        return Json(outParm);
                    }
                    var _path = Path.Combine("CaseFile", "card", DateTime.Now.ToString("yyyy-MM-dd"));
                    var dic = Path.Combine(Environment.CurrentDirectory, "wwwroot", _path);
@ -2835,7 +2851,7 @@ namespace _24Hour.Controllers.Common
            Result result = new Result();
            var urlpath = file.Replace("/", @"\");
-            var path = Path.Combine(Environment.CurrentDirectory, "wwwroot"+urlpath);
+            var path = Path.Combine(Environment.CurrentDirectory, "wwwroot" + urlpath);
            if (System.IO.File.Exists(path))
            {
                var str = Elight.Utility.Encrypt.DataEncryption.Decryptiones(path);