From 237ac6d43bf3728bf3587c486a23b4a48ea7acb3 Mon Sep 17 00:00:00 2001
From: star7th <xing7th@gmail.com>
Date: Mon, 14 Mar 2022 17:46:33 +0800
Subject: [PATCH] file upload bug

---
 .../Controller/AttachmentController.class.php |  8 ++++---
 .../Api/Model/AttachmentModel.class.php       | 23 +++++++++++++++++--
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git a/server/Application/Api/Controller/AttachmentController.class.php b/server/Application/Api/Controller/AttachmentController.class.php
index d0a67616a..3afc91152 100644
--- a/server/Application/Api/Controller/AttachmentController.class.php
+++ b/server/Application/Api/Controller/AttachmentController.class.php
@@ -79,7 +79,9 @@ public function uploadImg(){
            return false;
         }
 
-        if(D("Attachment")->isDangerFilename($_FILES['editormd-image-file']['name'])){
+        if(!D("Attachment")->isAllowedFilename($_FILES['editormd-image-file']['name'])){
+            $message = "不支持上传该文件类型。如有需要请联系网站管理员" ;
+            echo json_encode(array("message"=>$message,"success"=>0));
             return false;
         }
 
@@ -109,8 +111,8 @@ public function attachmentUpload(){
            return false;
         }
 
-        if(D("Attachment")->isDangerFilename($uploadFile['name'])){
-            $this->sendError(10100,'不支持此文件类型');
+        if(!D("Attachment")->isAllowedFilename($uploadFile['name'])){
+            $this->sendError(10101,'不支持上传该文件类型。如有需要请联系网站管理员');
             return false;
         }
 
diff --git a/server/Application/Api/Model/AttachmentModel.class.php b/server/Application/Api/Model/AttachmentModel.class.php
index f7781533d..7f69b3cba 100644
--- a/server/Application/Api/Model/AttachmentModel.class.php
+++ b/server/Application/Api/Model/AttachmentModel.class.php
@@ -57,7 +57,7 @@ public function deleteFile($file_id){
 	public function upload($_files , $file_key , $uid , $item_id = 0  , $page_id = 0  ){
 		$uploadFile = $_files[$file_key] ;
 
-		if($this->isDangerFilename($uploadFile['name'])){
+		if( !$this->isAllowedFilename($_files[$file_key]['name']) ){
 			return false;
 		}
 
@@ -288,6 +288,7 @@ public function getQiuniuEndpointByKey($key,$bucket){
 	}
 
 	// 判断文件名是否包含危险的扩展名
+	// 准备弃用。因为一个个ban太麻烦了。准备改用白名单机制
 	public function isDangerFilename($filename){
 
 		$isDangerStr = function ($filename , $keyword){
@@ -319,6 +320,24 @@ public function isDangerFilename($filename){
 		return false;
 	}
 
-
+	// 判断上传的文件扩展名是否处于白名单内
+	public function isAllowedFilename($filename){
+		$allow_array = array(
+			'.jpg','.jpeg','.png','.bmp','.gif','.ico','.webp',
+			'.mp3','.wav','.m4a','.ogg','.webma','.mp4','.flv',
+			'.mov','.webmv','.m3u8a','.flac','.mkv',
+			'.zip','.tar','.gz','.tgz','.ipa','.apk','.rar','.iso','.bz2','.epub',
+			'.pdf','.ofd','.swf','.epub','.xps',
+			'.doc','.docx','.odt','.rtf','.docm','.dotm','.dot','.dotx','.wps','.wpt',
+			'.ppt','.pptx','.xls','.xlsx','.txt','.md','.psd','.csv',
+			'.cer','.ppt','.pub','.properties','.json','.css',
+			) ;
+
+		$ext = strtolower(substr($filename,strripos($filename,'.')) ); //获取文件扩展名（转为小写后）
+		if(in_array( $ext , $allow_array ) ){
+			return true ;
+		}
+		return false;
+	}
 
 }