diff --git a/YiSha.Util/YiSha.Util/FileHelper.cs b/YiSha.Util/YiSha.Util/FileHelper.cs index 3a0530e5..1b3da2f6 100644 --- a/YiSha.Util/YiSha.Util/FileHelper.cs +++ b/YiSha.Util/YiSha.Util/FileHelper.cs @@ -147,6 +147,8 @@ public static TData DeleteFile(int fileModule, string filePath) obj.Message = "请先选择文件!"; return obj; } + + filePath = FilterFilePath(filePath); filePath = "Resource" + Path.DirectorySeparatorChar + dirModule + Path.DirectorySeparatorChar + filePath; string absoluteDir = Path.Combine(GlobalContext.HostingEnvironment.ContentRootPath, filePath); try @@ -178,8 +180,7 @@ public static TData DeleteFile(int fileModule, string filePath) /// public static TData DownloadFile(string filePath, int delete) { - filePath = filePath.Replace("../", string.Empty); - filePath = filePath.TrimStart('/'); + filePath = FilterFilePath(filePath); if (!filePath.StartsWith("wwwroot") && !filePath.StartsWith("Resource")) { throw new Exception("非法访问"); @@ -301,5 +302,12 @@ public static TData CheckFileExtension(string fileExtension, string allowExtensi } return obj; } + + public static string FilterFilePath(string filePath) + { + filePath = filePath.Replace("../", string.Empty); + filePath = filePath.TrimStart('/'); + return filePath; + } } } diff --git a/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs b/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs index 5f25620e..48f00403 100644 --- a/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs +++ b/YiSha.Web/YiSha.Admin.Web/Controllers/FileController.cs @@ -24,6 +24,7 @@ public async Task> UploadFile(int fileModule, IFormCollection file #region 删除单个文件 [HttpPost] + [AuthorizeFilter] public TData DeleteFile(int fileModule, string filePath) { TData obj = FileHelper.DeleteFile(fileModule, filePath);