getrebuild/rebuild
1
1
Fork 0
mirror of https://github.com/getrebuild/rebuild.git synced 2025-10-02 03:25:00 +08:00
Code Issues Projects Releases Packages Wiki Activity

Fix 3.8.5 (#830)

Browse source 
* sec: rm proxy-download

* be: isExternalUrl

* be:文件上传特殊符号:空格替换为-

* TOKEN4FILE

* fix: 下载文件名特殊符号

* v3.8.5
This commit is contained in:
REBUILD 企业管理系统 2024-11-11 22:04:12 +08:00 committed by GitHub
parent 79f4828db5
commit 557b06e5ac
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
9 changed files with 21 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
pom.xml
View file

@ -10,7 +10,7 @@
</parent>
<groupId>com.rebuild</groupId>
<artifactId>rebuild</artifactId>
<version>3.8.4</version>
<version>3.8.5</version>
<name>rebuild</name>
<description>Building your business-systems freely!</description>
<url>https://getrebuild.com/</url>

4
src/main/java/com/rebuild/core/Application.java
View file

@ -74,11 +74,11 @@ public class Application implements ApplicationListener<ApplicationStartedEvent>
/**
* Rebuild Version
*/
public static final String VER = "3.8.4";
public static final String VER = "3.8.5";
/**
* Rebuild Build [MAJOR]{1}[MINOR]{2}[PATCH]{2}[BUILD]{2}
*/
public static final int BUILD = 3080408;
public static final int BUILD = 3080510;
static {
// Driver for DB

5
src/main/java/com/rebuild/core/metadata/EntityRecordCreator.java
View file

@ -23,6 +23,7 @@ import com.rebuild.core.metadata.easymeta.EasyText;
import com.rebuild.core.metadata.impl.EasyFieldConfigProps;
import com.rebuild.core.service.DataSpecificationException;
import com.rebuild.core.support.i18n.Language;
import com.rebuild.utils.CommonsUtils;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang3.BooleanUtils;
@ -225,10 +226,10 @@ public class EntityRecordCreator extends JsonRecordCreator {
|| field.getDisplayType() == DisplayType.AVATAR) {
String s = value.toString().toLowerCase();
boolean unsafe = s.contains("http://") || s.contains("https://");
boolean unsafe = CommonsUtils.isExternalUrl(s);
if (!unsafe) {
s = CodecUtils.urlDecode(s);
unsafe = s.contains("http://") || s.contains("https://");
unsafe = CommonsUtils.isExternalUrl(s);
}
if (unsafe) {

4
src/main/java/com/rebuild/core/support/integration/QiniuCloud.java
View file

@ -27,6 +27,7 @@ import com.rebuild.core.RebuildException;
import com.rebuild.core.cache.CommonsCache;
import com.rebuild.core.support.ConfigurationItem;
import com.rebuild.core.support.RebuildConfiguration;
import com.rebuild.utils.AppUtils;
import com.rebuild.utils.CommonsUtils;
import com.rebuild.utils.OkHttpUtils;
import lombok.extern.slf4j.Slf4j;
@ -325,6 +326,7 @@ public class QiniuCloud {
fileName = fileName.replace("__", "_");
}
// 去除特殊符号
fileName = fileName.replace(" ", " ").replace(" ", "-");
fileName = fileName.replaceAll("[?&#+%/\\s]", "");
// 文件名长度控制
@ -418,7 +420,7 @@ public class QiniuCloud {
*/
public static File getStorageFile(String filepath) throws IOException, RebuildException {
File file = null;
if (filepath.startsWith("http://") || filepath.startsWith("https://")) {
if (CommonsUtils.isExternalUrl(filepath)) {
String name = filepath.split("\\?")[0];
name = name.substring(name.lastIndexOf("/") + 1);
file = RebuildConfiguration.getFileOfTemp("dn" + System.nanoTime() + "." + name);

3
src/main/java/com/rebuild/utils/MarkdownLinkAttrProvider.java
View file

@ -43,8 +43,7 @@ public class MarkdownLinkAttrProvider {
public void setAttributes(Node node, AttributablePart part, MutableAttributes attributes) {
if (node instanceof Link && part == AttributablePart.LINK) {
Link link = (Link) node;
String url = link.getUrl().toString();
if (url.startsWith("http://") || url.startsWith("https://")) {
if (CommonsUtils.isExternalUrl(link.getUrl().toString())) {
attributes.replaceValue("target", "_blank");
}
}

3
src/main/java/com/rebuild/web/admin/ConfigurationController.java
View file

@ -27,6 +27,7 @@ import com.rebuild.core.support.RebuildConfiguration;
import com.rebuild.core.support.i18n.Language;
import com.rebuild.core.support.integration.QiniuCloud;
import com.rebuild.core.support.integration.SMSender;
import com.rebuild.utils.CommonsUtils;
import com.rebuild.utils.JSONUtils;
import com.rebuild.utils.RbAssert;
import com.rebuild.web.BaseController;
@ -160,7 +161,7 @@ public class ConfigurationController extends BaseController {
data.put(ConfigurationItem.StorageURL.name(), dStorageUrl); // fix
}
if (dStorageUrl.startsWith("http://") || dStorageUrl.startsWith("https://")) {
if (CommonsUtils.isExternalUrl(dStorageUrl)) {
// OK
} else {
if (dStorageUrl.startsWith("//")) {

16
src/main/java/com/rebuild/web/commons/FileDownloader.java
View file

@ -62,7 +62,7 @@ public class FileDownloader extends BaseController {
filepath = filepath.split("/filex/img/")[1];
filepath = CodecUtils.urlDecode(filepath);
if (filepath.startsWith("http://") || filepath.startsWith("https://")) {
if (CommonsUtils.isExternalUrl(filepath)) {
response.sendRedirect(filepath);
return;
}
@ -218,15 +218,6 @@ public class FileDownloader extends BaseController {
ServletUtils.write(response, text);
}
@GetMapping(value = "proxy-download")
public void proxyDownload(HttpServletRequest request, HttpServletResponse response) throws IOException {
String fileUrl = request.getParameter("url");
fileUrl = CodecUtils.urlDecode(fileUrl);
File tmp = QiniuCloud.getStorageFile(fileUrl);
writeLocalFile(tmp, response);
}
/**
* 独立认证检测
*
@ -251,6 +242,10 @@ public class FileDownloader extends BaseController {
if (user == null) {
String onceToken = request.getParameter(AppUtils.URL_ONCETOKEN);
user = onceToken == null ? null : AuthTokenManager.verifyToken(onceToken);
// v3.8.5 留存10s
if (user == null) user = (ID) Application.getCommonsCache().getx("TOKEN4FILE:" + onceToken);
if (user != null) Application.getCommonsCache().putx("TOKEN4FILE:" + onceToken, user, 10);
}
// 5. UnsafeImgAccess
if (user == null && RebuildConfiguration.getBool(ConfigurationItem.UnsafeImgAccess)) {
@ -339,6 +334,7 @@ public class FileDownloader extends BaseController {
// 特殊字符处理
attname = attname.replace(" ", "-");
attname = attname.replace("%", "-");
attname = attname.replaceAll("[,;]", "-");
// 火狐 Safari 中文名乱码问题
String UA = StringUtils.defaultIfBlank(request.getHeader("user-agent"), "").toUpperCase();

4
src/main/java/com/rebuild/web/commons/UrlSafe.java
View file

@ -38,9 +38,7 @@ public class UrlSafe extends BaseController {
@GetMapping("/commons/url-safe")
public ModelAndView safeRedirect(HttpServletRequest request, HttpServletResponse response) throws IOException {
String url = getParameterNotNull(request, "url");
if (!(url.startsWith("http://") || url.startsWith("https://"))) {
url = "http://" + url;
}
if (!CommonsUtils.isExternalUrl(url)) url = "http://" + url;
boolean nosafe = !RegexUtils.isUrl(url);
if (url.contains(">")) {

3
src/main/java/com/rebuild/web/user/UserAvatar.java
View file

@ -19,6 +19,7 @@ import com.rebuild.core.privileges.bizz.User;
import com.rebuild.core.support.RebuildConfiguration;
import com.rebuild.core.support.integration.QiniuCloud;
import com.rebuild.utils.AppUtils;
import com.rebuild.utils.CommonsUtils;
import com.rebuild.web.BaseController;
import com.rebuild.web.commons.FileDownloader;
import lombok.extern.slf4j.Slf4j;
@ -93,7 +94,7 @@ public class UserAvatar extends BaseController {
String avatarUrl = realUser.getAvatarUrl();
// 外部地址
if (avatarUrl != null && (avatarUrl.startsWith("http://") || avatarUrl.startsWith("https://"))) {
if (CommonsUtils.isExternalUrl(avatarUrl)) {
response.sendRedirect(avatarUrl);
return;
}