包:com.gdxsoft.easyweb.uploader
类:Upload
方法:init
处理Upload
的_uploadDir
目录时,对..
和目录长度进行限制
public void init(HttpServletRequest request) {
...
try {
...
_uploadDir = DEFAULT_UPLOAD_PATH;
UserXItem uxi = uc.getUserXItems().getItem(name);
if (uxi.testName("Upload")) {
_uploadName = uxi.getName();
if (uxi.getItem("Upload").count() == 0) {
System.err.println(_uploadName + "配置项信息不全,请修改配置文件");
_uploadDir = null;
return;
}
UserXItemValue u = uxi.getItem("Upload").getItem(0);
if (u.testName("UpPath")) {
String p = u.getItem("UpPath");
if (!p.trim().equals("")) {
p = iv.replaceParameters(p, false);
if (p.indexOf("..") >= 0) {
System.err.println(this + "上传路径出现‘..’,被替换(" + p + ")-->");
p = p.replace("..", "");
System.err.println(p);
}
if (p.length() > 255) {
System.err.println(this + "上传路径长度超过255,被替换(" + p + ")-->");
p = DEFAULT_UPLOAD_PATH;
System.err.println(p);
}
_uploadDir = p;
}
}
...
}
} catch (Exception e) {
System.err.println(e.getMessage());
_uploadDir = null;
return;
}
...
}