update to v1.0.19 进一步修补文件名处理漏洞，延伸至预览功能。

2025-01-09 04:27:56 +08:00 · 2019-07-10 10:33:03 +08:00 · 2019-07-10 10:33:03 +08:00 · 30bb27f181
commit 30bb27f181
parent 92c5c42a72
5 changed files with 9 additions and 5 deletions
--- a/target/classes/META-INF/maven/kohgylw/kiftd/pom.properties
+++ b/target/classes/META-INF/maven/kohgylw/kiftd/pom.properties
@ -1,5 +1,5 @@
 #Generated by Maven Integration for Eclipse
-#Wed Jul 10 09:55:10 CST 2019
+#Wed Jul 10 10:31:42 CST 2019
 version=1.0.19-SNAPSHOT
 groupId=kohgylw
 m2e.projectName=kiftd
--- a/webContext/js/home.js
+++ b/webContext/js/home.js
@ -1957,6 +1957,10 @@ function playAudio(fileId) {
 		dataType:'text',
 		success:function(result){
 			var ail=eval("("+result+")");
+			//避免存在恶意标签注入在文件名中
+			for(var i=0;i<ail.as.length;i++){
+				ail.as[i].name=ail.as[i].name.replace('\'','&#39;').replace('<','&lt;').replace('>','&gt;');
+			}
 			ap.list.add(ail.as);
 			ap.list.switch(ail.index);
 			audio_play();
--- a/webContext/js/home.min.js
+++ b/webContext/js/home.min.js
--- a/webContext/quickview/kplayer.js
+++ b/webContext/quickview/kplayer.js
@ -19,7 +19,7 @@ $(function() {
 				success : function(result) {
 					if (result != "ERROR") {
 						f = eval("(" + result + ")");
-						$("#vname").text(f.fileName);
+						$("#vname").text(f.fileName.replace('\'','&#39;').replace('<','&lt;').replace('>','&gt;'));
 						$("#vcreator").text(f.fileCreator);
 						$("#vcdate").text(f.fileCreationDate);
 						$("#vsize").text(f.fileSize);
@ -52,7 +52,7 @@ function getFileId() {
 	}
 	return "";
 }
-// 显示视屏信息并播放视频
+// 显示视频信息并播放视频
 function playVideo() {
 	$("#playerbox")
 			.html(
--- a/webContext/quickview/kplayer.min.js
+++ b/webContext/quickview/kplayer.min.js
@ -1 +1 @@
-function getFileId(){var b,a=location.search;return-1!=a.indexOf("?")?(b=a.substr(1),strs=b.split("="),strs[1]):""}function playVideo(){$("#playerbox").html("<video id='kiftplayer' class='video-js col-md-12' controls preload='auto' height='500'><source src='resourceController/getResource.do?fid="+f.fileId+"' type='video/mp4'></video>");var a=videojs("kiftplayer");a.ready(function(){this.play()})}function reMainPage(){null!=tReq&&tReq.abort(),null!=tTimer&&window.clearTimeout(tTimer),window.opener=null,window.open("","_self"),window.close()}function doTranscode(){tReq=$.ajax({url:"resourceController/getVideoTranscodeStatus.ajax",type:"POST",dataType:"text",data:{fileId:f.fileId},success:function(a){"FIN"==a?playVideo():"ERROR"==a?(alert("错误：请求失败，请刷新重试。"),reMainPage()):($("#transcodeProgress").text(a),tTimer=setTimeout("doTranscode()",500))},error:function(){alert("错误：请求失败，请刷新重试。"),reMainPage()}})}function showCloseBtn(){var a=$(window).width();450>a?$("#closeBtn").addClass("hidden"):$("#closeBtn").removeClass("hidden")}var tReq,tTimer;$(function(){window.onresize=function(){showCloseBtn()};var fileId=getFileId();$.ajax({url:"homeController/playVideo.ajax",type:"POST",dataType:"text",data:{fileId:fileId},success:function(result){"ERROR"!=result?(f=eval("("+result+")"),$("#vname").text(f.fileName),$("#vcreator").text(f.fileCreator),$("#vcdate").text(f.fileCreationDate),$("#vsize").text(f.fileSize),"N"==f.needEncode?playVideo():($("#playerMassage").html("<h2>播放器正在努力解码中...</h2><h3>已完成：<span id='transcodeProgress'>0</span>%</h3><p class='text-muted'>提示：该视频需解码后播放，请耐心等待！</p>"),doTranscode())):(alert("错误：无法定位要预览的文件或该操作未被授权。"),reMainPage())},error:function(){alert("错误：请求失败，请刷新重试。"),reMainPage()}})});
+function getFileId(){var b,a=location.search;return-1!=a.indexOf("?")?(b=a.substr(1),strs=b.split("="),strs[1]):""}function playVideo(){$("#playerbox").html("<video id='kiftplayer' class='video-js col-md-12' controls preload='auto' height='500'><source src='resourceController/getResource.do?fid="+f.fileId+"' type='video/mp4'></video>");var a=videojs("kiftplayer");a.ready(function(){this.play()})}function reMainPage(){null!=tReq&&tReq.abort(),null!=tTimer&&window.clearTimeout(tTimer),window.opener=null,window.open("","_self"),window.close()}function doTranscode(){tReq=$.ajax({url:"resourceController/getVideoTranscodeStatus.ajax",type:"POST",dataType:"text",data:{fileId:f.fileId},success:function(a){"FIN"==a?playVideo():"ERROR"==a?(alert("错误：请求失败，请刷新重试。"),reMainPage()):($("#transcodeProgress").text(a),tTimer=setTimeout("doTranscode()",500))},error:function(){alert("错误：请求失败，请刷新重试。"),reMainPage()}})}function showCloseBtn(){var a=$(window).width();450>a?$("#closeBtn").addClass("hidden"):$("#closeBtn").removeClass("hidden")}var tReq,tTimer;$(function(){window.onresize=function(){showCloseBtn()};var fileId=getFileId();$.ajax({url:"homeController/playVideo.ajax",type:"POST",dataType:"text",data:{fileId:fileId},success:function(result){"ERROR"!=result?(f=eval("("+result+")"),$("#vname").text(f.fileName.replace("'","&#39;").replace("<","&lt;").replace(">","&gt;")),$("#vcreator").text(f.fileCreator),$("#vcdate").text(f.fileCreationDate),$("#vsize").text(f.fileSize),"N"==f.needEncode?playVideo():($("#playerMassage").html("<h2>播放器正在努力解码中...</h2><h3>已完成：<span id='transcodeProgress'>0</span>%</h3><p class='text-muted'>提示：该视频需解码后播放，请耐心等待！</p>"),doTranscode())):(alert("错误：无法定位要预览的文件或该操作未被授权。"),reMainPage())},error:function(){alert("错误：请求失败，请刷新重试。"),reMainPage()}})});