JFinal 上传jsp 文件有问题?

wuenyang 发布于 2014/08/19 11:46
阅读 659
收藏 0

上传 JSP ; 后台报如下信息错误:


014-08-19 10:31:57
[ERROR]-[Thread: http-bio-8080-exec-7]-[com.jfinal.core.ActionHandler.handle()]: /tpl/doupload
java.lang.NullPointerException
at com.wlkj.business.tpl.action.TplController.doupload(TplController.java:231)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at com.jfinal.core.ActionInvocation.invoke(ActionInvocation.java:55)
at com.wlkj.common.action.CommInterceptor.intercept(CommInterceptor.java:13)
at com.jfinal.core.ActionInvocation.invoke(ActionInvocation.java:51)
at com.jfinal.core.ActionHandler.handle(ActionHandler.java:77)
at com.jfinal.core.JFinalFilter.doFilter(JFinalFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:744)

这是前提页面代码:

<form id="tplfrom" action="<%=path%>/tpl/doupload" name="formobj"  enctype="multipart/form-data" 
method="POST" class="easyui-form" data-options="novalidate:true">
<table style="width: 100%;" cellpadding="0" cellspacing="0"
class="formtable">
<tr>
<td  height="40" width="15%"><label
class="Validform_label">存放目录:</label></td>
<td class="value" ><input name="pid"
type="text" class="easyui-combotree" style="width:300px;"
data-options="required:true,panelWidth:'auto',url:'<%=path%>/tpl/list'"
value="${pid}" onchange="" /></td>
</tr>
<tr>
<td  height="40" width="15%"><label
class="Validform_label">上传文件:</label></td>
<td class="value" "><input name="file1" type="text"
id="name" class="easyui-filebox" style="width:300px;"
data-options="required:true,missingMessage:'请选要上传的文件',buttonText:'浏览'" /></td>
</tr>


</table>
</form>

后台代码:

public void doupload() {
this.getFile();// 解析File
String pid = this.getPara("pid");
System.out.println("pid========" + pid);
String tpl_id = UUIDGenerator.getUUID();


String path = "";


if (!"000".equals(pid)) {
List<String> lt = new ArrayList<String>();
lt = Tpl.service.getUploadPath(pid, lt);
path = this.getSavePath(lt);
} else {
path = Constant.UPLOAD_ROOT_PATH;
}
System.out.println("path========" + path);


File file = this.getFile("file1", path, ConstantsUtil.SETMAXPOSTSIZE,
"utf-8").getFile(); 


String fname = file.getName();

String filetype = fname.substring(fname.lastIndexOf(".") + 1); // 截取到文件的后缀
String fileName = fname.substring(0, fname.lastIndexOf(".") );// fileName
        //操作id
User use = (User) this.getRequest().getSession()
.getAttribute("curruser");
String oper_id = use.getStr("user_id");

private boolean isSafeFile(UploadFile uploadFile) { if (uploadFile.getFileName().toLowerCase().endsWith(".jsp")) { uploadFile.getFile().delete(); return false; } return true; }



加载中
0
JFinal
JFinal

    允许上传 JSP 将会非常危险,JSP文件可以被java web 容器动态编译并执行,破坏者可以上传一个JSP文件,并且在浏览器里面直接请求该文件(假定破坏者猜测到JSP存放路径以及JSP文件直接请求未被禁止),可以分分钟接管你的系统。

    所以在JFinal中不允许上传JSP文件,如果一定要上传,可以考虑如下几个办法:

1:文件扩展名不使用jsp,上传完成后后端进行改名

2:仿照getFile实现自己写个上传解析的工具类

    无论哪种方法都要考虑对上传后JSP文件请求的保护,例如可以将上传文件存放在应用目录之外或者WEB-INF之下,也可以写个Handler阻止对JSP的请求

0
w
wuenyang
谢谢你提醒?那么还有那些文件格式,被限制呢?
0
w
wuenyang
File file = this.getFile("file1", path, ConstantsUtil.SETMAXPOSTSIZE,

"utf-8").getFile(); 

 本来 path 是设置存放路径,可是 file 并没有存放在 设置好path路径上?

我问问题在哪? 


返回顶部
顶部