We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
**问题描述:**没有对文件类型进行验证,攻击者可以上传恶意文件 直接通过ToolUtil.getFileSuffix(picture.getOriginalFilename()) 保存原有后缀名 可上传恶意的html文件在访问时候触发xss 修复建议: 校验文件上传的后缀 renderPicture 位置返回base64编码格式 如: const base64Image = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...";
url: /mgr/upload 参数:file: picture
The text was updated successfully, but these errors were encountered:
No branches or pull requests
**问题描述:**没有对文件类型进行验证,攻击者可以上传恶意文件 直接通过ToolUtil.getFileSuffix(picture.getOriginalFilename()) 保存原有后缀名 可上传恶意的html文件在访问时候触发xss
修复建议: 校验文件上传的后缀 renderPicture 位置返回base64编码格式 如: const base64Image = "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...";
url: /mgr/upload
参数:file: picture
The text was updated successfully, but these errors were encountered: