一.文件上传
<%--
Created by IntelliJ IDEA.
User: Administrator
Date: 2018/7/31
Time: 9:14
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<html>
<head>
<title>Title</title>
<script src="js/jquery.min.js"></script>
<script>
//原生方式实现
function upload(){
//构造文件上传对象FormData
var data=new FormData(document.getElementById("form1"));
//构造ajax对象,该对象在不同版本浏览器中的名称有所不同
//本段代码以chrome浏览器为基础演示
var ajax=new XMLHttpRequest();
//设置请求参数
ajax.open("POST","doupload.jsp",true);
//设置回调函数
ajax.onload=function(result){
console.log(result);
console.log(ajax);
document.getElementById("resp").innerHTML=ajax.responseText;
}
//发送请求
ajax.send(data);
}
//使用jquery上传
function jqueryupload(){
//构造formdata
var data1=new FormData(jQuery("#form1")[0]);
jQuery.ajax({
type:'POST',
url:'doupload.jsp',
data:data1,
processData:false,
contentType:false,
success:function(resp){
console.log(resp);
jQuery("#resp").html(resp);
}
});
}
</script>
</head>
<body>
<form method="post" action="doupload.jsp" id="form1" enctype="multipart/form-data">
<input type="file" name="file1" id="file1"/>
<button type="button" onclick="upload()" >原生文件上传</button>
<button type="button" onclick="jqueryupload()" >jQuery文件上传</button>
</form>
<div id="resp">
</div>
</body>
</html>
<%@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<%@ page import="org.apache.commons.fileupload.disk.DiskFileItemFactory" %>
<%@ page import="org.apache.commons.fileupload.servlet.ServletFileUpload" %>
<%@ page import="java.util.List" %>
<%@ page import="org.apache.commons.fileupload.FileItem" %>
<%@ page import="java.io.OutputStream" %>
<%@ page import="java.io.FileOutputStream" %>
<%@ page import="java.io.File" %>
<%@ page import="org.apache.commons.io.IOUtils" %>
<%--
Created by IntelliJ IDEA.
User: Administrator
Date: 2018/7/29
Time: 16:29
To change this template use File | Settings | File Templates.
--%>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
//创建上传文件操作工厂
DiskFileItemFactory factory=new DiskFileItemFactory();
//设置缓冲区大小为8kb
factory.setSizeThreshold(8*1024);
//创建上传组件
ServletFileUpload servletFileUpload=new ServletFileUpload(factory);
//设置上传大小
//总大小
//servletFileUpload.setSizeMax();
//单文件大小40MB
servletFileUpload.setFileSizeMax(1024*1024*40);
//解析请求数据
List<FileItem> items = servletFileUpload.parseRequest(request);
//遍历输出items
for(FileItem item:items){
// isFormField 是否普通输入框(除type=file以外的输入框)
if(item.isFormField()){
//如果是普通输入框
System.out.println(item.getFieldName());
System.out.println(item.getString());
}else{
//文件上传
System.out.println("获得文件上传的值");
System.out.println(item.getFieldName());
System.out.println(item.getName());
pageContext.setAttribute("filename",item.getName());
//建立白名单或黑名单机制
//黑名单
if(item.getName().endsWith(".jsp")){
response.getWriter().println("<h1>上传文件格式非法!</h1>");
return;
}
//创建白名单机制
//TODO:保证文件名的唯一性
//获取输入流并保存到文件
//获取项目的真实路径
String realpath=request.getServletContext().getRealPath("/");
String filename=realpath+File.separator+item.getName();
OutputStream os=new FileOutputStream(new File(filename));
IOUtils.copy(item.getInputStream(),os);
}
}
%>
<img src="<c:out value="${filename}"/>" />
二.文件下载
<%@ page import="java.io.File" %>
<%@ page import="org.apache.commons.io.IOUtils" %>
<%@ page import="java.io.FileInputStream" %>
<%@ page import="java.io.OutputStream" %>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="org.apache.commons.io.FilenameUtils" %>
<%@ page contentType="text/html;charset=UTF-8" language="java" %>
<%
//读取一个文件
//此处会产生任意文件下载漏洞
File file=new File(request.getParameter("filename"));
//相对路径文件
// request.getSession().getServletContext()
// application.getRealPath()
file=new File(request.getServletContext().getRealPath(request.getParameter("filename")));
//文件下载漏洞的修复
//1. 建立白名单.只允许下载特定目录下的文件.download
//检查file.getAbsoluteFile()是不是包含我们指定的路径,包含则安全,不包含则错误
//2.建立黑名单进行特殊目录保护
//不允许路径中出现某些路径或字符
//WEB-INF,.,..
//TODO:
//重置输出流,非必须
//response.reset();
out.clear();
OutputStream os = response.getOutputStream();
//指定下载的文件名,并对中文文件进行编码以防止乱码
//如果是任意文件下载,需要处理文件名及其扩展名
//获取文件扩展名
String extfilename = FilenameUtils.getExtension(request.getParameter("filename"));
System.out.println(extfilename);
System.out.println(URLEncoder.encode("中文","utf-8"));
response.setHeader("Content-disposition","attachment;filename="+ URLEncoder.encode("中文."+extfilename,"utf-8"));
response.setContentType("application/octet-stream");
//写文件到输出流
IOUtils.copy(new FileInputStream(file),os);
//写到输出流
os.flush();
//关闭
os.close();
%>