From 1b6ddfeb66f539f84d43bc124d8deae59bd637b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A7=E7=9F=B3=E5=A4=B4?= <nnhy@vip.qq.com>
Date: Tue, 3 Sep 2024 14:28:24 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BB=85=E6=94=AF=E6=8C=81=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?=E5=9B=BE=E7=89=87=E6=96=87=E4=BB=B6=E3=80=82close:=20https://g?=
 =?UTF-8?q?ithub.com/NewLifeX/NewLife.Cube/issues/78?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 NewLife.Cube/Areas/Admin/Controllers/UserController.cs   | 6 ++++++
 NewLife.CubeNC/Areas/Admin/Controllers/UserController.cs | 4 ++++
 2 files changed, 10 insertions(+)

diff --git a/NewLife.Cube/Areas/Admin/Controllers/UserController.cs b/NewLife.Cube/Areas/Admin/Controllers/UserController.cs
index 4a3d0a68..16d533c7 100644
--- a/NewLife.Cube/Areas/Admin/Controllers/UserController.cs
+++ b/NewLife.Cube/Areas/Admin/Controllers/UserController.cs
@@ -383,6 +383,12 @@ public async Task<ActionResult> Info(User user)
         var file = HttpContext.Request.Form.Files["avatar"];
         if (file != null)
         {
+            var ext = Path.GetExtension(file.FileName);
+            //if (ext.EqualIgnoreCase(".exe", ".bat", ".com", ".vbs", ".js", ".jar", ".msi", ".lnk"))
+            //    throw new Exception("禁止上传可执行文件！");
+            if (!ext.EqualIgnoreCase(".png", ".jpg", ".gif", ".bmp", ".tiff", ".svg"))
+                throw new Exception("仅支持上传图片文件！");
+
             //var set = CubeSetting.Current;
             //var fileName = user.ID + Path.GetExtension(file.FileName);
             var att = await SaveFile(user, file, null, null);
diff --git a/NewLife.CubeNC/Areas/Admin/Controllers/UserController.cs b/NewLife.CubeNC/Areas/Admin/Controllers/UserController.cs
index 6d1413dc..3e1951f5 100644
--- a/NewLife.CubeNC/Areas/Admin/Controllers/UserController.cs
+++ b/NewLife.CubeNC/Areas/Admin/Controllers/UserController.cs
@@ -565,6 +565,10 @@ public async Task<ActionResult> Info(User user)
         var file = HttpContext.Request.Form.Files["avatar"];
         if (file != null)
         {
+            var ext = Path.GetExtension(file.FileName);
+            if (!ext.EqualIgnoreCase(".png", ".jpg", ".gif", ".bmp", ".tiff", ".svg"))
+                throw new Exception("仅支持上传图片文件！");
+
             //var set = CubeSetting.Current;
             //var fileName = user.ID + Path.GetExtension(file.FileName);
             var att = await SaveFile(user, file, null, null);