文件下载安全优化

feat/task1-c-wallet
Devil 2021-05-15 23:49:49 +08:00
parent 507d511c77
commit 388672247e
2 changed files with 14 additions and 5 deletions

View File

@ -56,13 +56,12 @@ class QrCode extends Common
public function Download()
{
$params = input();
if(empty($params['url']))
$ret = (new \base\Qrcode())->Download($params);
if(!empty($ret) && isset($ret['code']) && $ret['code'] != 0)
{
$this->assign('msg', 'url参数为空');
$this->assign('msg', $ret['msg']);
return $this->fetch('public/tips_error');
}
(new \base\Qrcode())->Download($params);
}
}
?>

View File

@ -180,7 +180,17 @@ class Qrcode
public function Download($params = [])
{
// 图片地址
$url = base64_decode(urldecode($params['url']));
$url = empty($params['url']) ? '' : base64_decode(urldecode($params['url']));
if(empty($url))
{
return DataReturn('url地址有误', -1);
}
// 域名验证、仅支持下载当前域名下的文件
if(GetUrlHost(__MY_HOST__) != GetUrlHost($url))
{
return DataReturn('url地址非法', -1);
}
// 随机文件名
$filename = empty($params['filename']) ? date('YmdHis').GetNumberCode().'.png' : $params['filename'].'.png';