转载

JAVA文件上传漏洞修复

import org.apache.tika.metadata.Metadata;  
import org.apache.tika.parser.AutoDetectParser;  
import org.apache.tika.parser.ParseContext;  
import org.apache.tika.parser.Parser;  
import org.apache.tika.sax.BodyContentHandler;  
import org.xml.sax.ContentHandler;

public class TikaDemo1 {

    public static void main(String[] args) {

        File file = new File("C://Users//zhutougg//Desktop//yjh.png");
        String[] blacklist = {"image/png","image/jpeg","text/plain","png"};
        checkFile(file,blacklist);
    }
    /**
     * 使用Tika识别文件的content_type
     * @param file 待检查的文件
     * @param blacklist 限制的白名单
     * @author zhutougg
     * @return
     */
    public static boolean checkFile(File file, String[] blacklist){

        Parser parser = new AutoDetectParser();
        Metadata metadata = new Metadata(); 
        metadata.set(Metadata.RESOURCE_NAME_KEY, file.getName());
        ContentHandler handler = new BodyContentHandler();

        InputStream is = null;
        try {
            is = new FileInputStream(file);
            parser.parse(is, handler, metadata, new ParseContext());
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
        String CONTENTTYPE = metadata.get(Metadata.CONTENT_TYPE);

        //如果结果不等于-1，即存在于白名单中
        if(Arrays.binarySearch(blacklist, "CONTENTTYPE") != -1){
            return true;
        }else{
            return false;
        }
    }
}

原文 http://www.zhutougg.com/2018/09/14/javawen-jian-shang-chuan-lou-dong-xiu-fu/

正文到此结束