1.配置白名单
在配置文件中配置白名单列表
UploadFile.Extention=doc,docx,eml,htm,html,jpg,mht,msg,png,ppt,pptx,rar,txt,xls,xlsx,zip,pdf,jpeg,gif
2.拦截器
public class FileShellInterceptor extends HandlerInterceptorAdapter {
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
HttpServletRequest req=(HttpServletRequest)request;
MultipartResolver multipartResolver=new CommonsMultipartResolver();
if(multipartResolver.isMultipart(req)){
MultipartHttpServletRequest multipartRequest = (MultipartHttpServletRequest) request;
Map<String, MultipartFile> files= multipartRequest.getFileMap();
Iterator<String> iterator = files.keySet().iterator();
while(iterator.hasNext()){
String formKey = (String) iterator.next();
MultipartFile multipartFile = multipartRequest.getFile(formKey);
if (StringUtils.isNotEmpty(multipartFile.getOriginalFilename())) {
String filename = multipartFile.getOriginalFilename();
if(checkFile(filename)){
return true;
} else {
response.setCharacterEncoding("UTF-8");
response.setContentType("text/html");
response.getWriter().write("<script>alert('上传文件无效!');</script>");
return false;
}
}
}
return true;
}else{
return true;
}
}
private boolean checkFile(String fileName){
boolean flag=false;
// 文件后缀白名单
String suffixList=AppConfigurationProperties.getProperty("UploadFile.Extention");
//获取文件后缀
String suffix=fileName.substring(fileName.lastIndexOf(".")+1, fileName.length());
if(suffixList.contains(suffix.trim().toLowerCase())){
flag=true;
}
return flag;
}
}
3.拦截器配置
<!--文件上传拦截器-->
<mvc:interceptors>
<mvc:interceptor>
<mvc:mapping path="/iknow/DocumentMain.do"/>
<mvc:mapping path="/iknow/CategoryDocMain.do"/>
<bean class="com.test.FileShellInterceptor"></bean>
</mvc:interceptor>
</mvc:interceptors>