修复流的方法错误 ,修复跨域脚本缺少BASE64 (#423)

* 修复office下载方法中 错误

* 更新OFD解析效果,修复禁止trace请求无效问题,其他压缩包修复

* 修复压缩包 缓存BUG

* 限制某些特殊文件上传

* 修复OFFICE文件密码检查关闭流 上传文件关闭流 检查PDF文件是否存在

* 特殊符号的支持

Co-authored-by: gaoxiongzaq <admin@cxcp.com>

server/src/main/java/cn/keking/service/FileHandlerService.java

@@ -191,6 +191,9 @@ public class FileHandlerService {
         }
         try {
             File pdfFile = new File(pdfFilePath);
+            if (!pdfFile.exists()) {
+                return null;
+            }
             PDDocument doc = PDDocument.load(pdfFile);
             int pageCount = doc.getNumberOfPages();
             PDFRenderer pdfRenderer = new PDFRenderer(doc);
@@ -273,11 +276,6 @@ public class FileHandlerService {
         if (url.contains("?fileKey=")) {
             attribute.setSkipDownLoad(true);
         }
-        String  urlStrr = url.toLowerCase();  //转换为小写对比
-        boolean wjl = WebUtils.kuayu("&fullfilename=", urlStrr);  //判断是否启用文件流
-        if(wjl){
-            url =  url.substring(0,url.lastIndexOf("&"));  //删除添加的文件流内容
-        }
         url = WebUtils.encodeUrlFileName(url);
         fileName =  KkFileUtils.htmlEscape(fileName);  //文件名处理
         attribute.setType(type);

server/src/main/java/cn/keking/service/impl/CompressFilePreviewImpl.java

@@ -40,6 +40,12 @@ public class CompressFilePreviewImpl implements FilePreview {
             }
             String filePath = response.getContent();
             fileTree = compressFileReader.unRar(filePath, fileName);
+            if (fileTree != null && !"null".equals(fileTree)) {
+                if (ConfigConstants.isCacheEnabled()) {
+                    // 加入缓存
+                    fileHandlerService.addConvertedFile(fileName, fileTree);
+                }
+            }
         } else {
             fileTree = fileHandlerService.getConvertedFile(fileName);
         }

server/src/main/java/cn/keking/service/impl/OfficeFilePreviewImpl.java

@@ -14,6 +14,7 @@ import org.springframework.stereotype.Service;
 import org.springframework.ui.Model;
 import org.springframework.util.StringUtils;
 
+import java.net.URLEncoder;
 import java.util.List;
 
 /**
@@ -50,7 +51,7 @@ public class OfficeFilePreviewImpl implements FilePreview {
         String pdfName = fileName.substring(0, fileName.lastIndexOf(".") + 1) + (isHtml ? "html" : "pdf");
         String cacheFileName = userToken == null ? pdfName : userToken + "_" + pdfName;
         String outFilePath = FILE_DIR + cacheFileName;
-
+        if ( !fileHandlerService.listConvertedFiles().containsKey(pdfName) || !ConfigConstants.isCacheEnabled()) {
         // 下载远程文件到本地，如果文件在本地已存在不会重复下载
         ReturnResponse<String> response = DownloadUtils.downLoad(fileAttribute, fileName);
         if (response.isFailure()) {
@@ -115,11 +116,11 @@ public class OfficeFilePreviewImpl implements FilePreview {
                 }
             }
         }
-
+        }
         if (!isHtml && baseUrl != null && (OFFICE_PREVIEW_TYPE_IMAGE.equals(officePreviewType) || OFFICE_PREVIEW_TYPE_ALL_IMAGES.equals(officePreviewType))) {
             return getPreviewType(model, fileAttribute, officePreviewType, baseUrl, cacheFileName, outFilePath, fileHandlerService, OFFICE_PREVIEW_TYPE_IMAGE, otherFilePreview);
         }
-
+        cacheFileName =   URLEncoder.encode(cacheFileName).replaceAll("\\+", "%20");
         model.addAttribute("pdfUrl", cacheFileName);
         return isHtml ? EXEL_FILE_PREVIEW_PAGE : PDF_FILE_PREVIEW_PAGE;
     }

server/src/main/java/cn/keking/service/impl/PdfFilePreviewImpl.java

@@ -10,6 +10,7 @@ import cn.keking.web.filter.BaseUrlFilter;
 import org.springframework.stereotype.Service;
 import org.springframework.ui.Model;
 
+import java.net.URLEncoder;
 import java.util.List;
 
 /**
@@ -73,6 +74,7 @@ public class PdfFilePreviewImpl implements FilePreview {
                         fileHandlerService.addConvertedFile(pdfName, fileHandlerService.getRelativePath(outFilePath));
                     }
                 } else {
+                    pdfName =   URLEncoder.encode(pdfName).replaceAll("\\+", "%20");
                     model.addAttribute("pdfUrl", pdfName);
                 }
             } else {

server/src/main/java/cn/keking/utils/DownloadUtils.java

@@ -50,6 +50,11 @@ public class DownloadUtils {
             response.setMsg("下载失败:文件名不合法!" + urlStr);
             return response;
         }
+        if(realPath.equals("cunzhai")){
+            response.setContent(fileDir + fileName);
+            response.setMsg(fileName);
+            return response;
+        }
         try {
             URL url = WebUtils.normalizedURL(urlStr);
             if (!fileAttribute.getSkipDownLoad()) {
@@ -110,6 +115,7 @@ public class DownloadUtils {
         File realFile = new File(realPath);
         if (realFile.exists()) {
             fileAttribute.setSkipDownLoad(true);
+            return "cunzhai";
         }
         return realPath;
     }

server/src/main/java/cn/keking/utils/KkFileUtils.java

@@ -102,7 +102,7 @@ public class KkFileUtils {
     public static String htmlEscape(String input) {
         if(StringUtils.hasText(input)){
             //input = input.replaceAll("\\{", "%7B").replaceAll("}", "%7D").replaceAll("\\\\", "%5C");
-            return HtmlUtils.htmlEscape(input);
+            return HtmlUtils.htmlEscape(input, "UTF-8");
         }
         return input;
     }

server/src/main/java/cn/keking/utils/OfficeUtils.java

@@ -7,6 +7,7 @@ import org.apache.poi.hssf.record.crypto.Biff8EncryptionKey;
 import org.springframework.lang.Nullable;
 
 import java.io.IOException;
+import java.io.InputStream;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 
@@ -27,8 +28,10 @@ public class OfficeUtils {
      * @return 是否受密码保护
      */
     public static boolean isPwdProtected(String path) {
+        InputStream propStream = null;
         try {
-            ExtractorFactory.createExtractor(Files.newInputStream(Paths.get(path)));
+            propStream = Files.newInputStream(Paths.get(path));
+            ExtractorFactory.createExtractor(propStream);
         } catch (IOException | EncryptedDocumentException e) {
             if (e.getMessage().toLowerCase().contains(POI_INVALID_PASSWORD_MSG)) {
                 return true;
@@ -42,10 +45,17 @@ public class OfficeUtils {
                     }
                 }
             }
+        }finally {
+            if(propStream!=null) {//如果文件输入流不是null
+                try {
+                    propStream.close();//关闭文件输入流
+                } catch (IOException e) {
+                    e.printStackTrace();
+                }
+            }
         }
         return false;
     }
-
     /**
      * 判断office文件是否可打开（兼容）
      *
@@ -54,15 +64,24 @@ public class OfficeUtils {
      * @return 是否可打开（兼容）
      */
     public static synchronized boolean isCompatible(String path, @Nullable String password) {
+        InputStream propStream = null;
         try {
+            propStream = Files.newInputStream(Paths.get(path));
             Biff8EncryptionKey.setCurrentUserPassword(password);
-            ExtractorFactory.createExtractor(Files.newInputStream(Paths.get(path)));
+            ExtractorFactory.createExtractor(propStream);
         } catch (Exception e) {
             return false;
         } finally {
             Biff8EncryptionKey.setCurrentUserPassword(null);
+            if(propStream!=null) {//如果文件输入流不是null
+                try {
+                    propStream.close();//关闭文件输入流
+                } catch (IOException e) {
+                    e.printStackTrace();
+                }
+            }
         }
         return true;
     }
 
-}
+}

server/src/main/java/cn/keking/utils/WebUtils.java

@@ -131,6 +131,11 @@ public class WebUtils {
             } catch (UnsupportedEncodingException e) {
                 return null;
             }
+            String  urlStrr = url.toLowerCase();  //转换为小写对比
+            boolean wjl =kuayu("&fullfilename=", urlStrr);  //判断是否启用文件流
+            if(wjl){
+                url =  url.substring(0,url.lastIndexOf("&"));  //删除添加的文件流内容
+            }
             String noQueryUrl = url.substring(0, url.indexOf("?"));
             String parameterStr = url.substring(url.indexOf("?"));
             parameterStr = parameterStr.replaceFirst(fullFileName, encodedFileName);

server/src/main/java/cn/keking/web/controller/FileController.java

@@ -31,7 +31,7 @@ import java.util.Objects;
 
 /**
  * @author yudian-it
- * @date 2017/12/1
+ *  2017/12/1
  */
 @RestController
 public class FileController {
@@ -64,6 +64,15 @@ public class FileController {
         if (pos != -1) {
             fileName = fileName.substring(pos + 1);
         }
+        String fileType= "";
+        int i = fileName.lastIndexOf('.');
+        if (i > 0) {
+            fileType= fileName.substring(i+1);
+            fileType= fileType.toLowerCase();
+        }
+        if (fileType.length() == 0 || fileType.equals("dll") || fileType.equals("exe") || fileType.equals("msi") ){
+            return ReturnResponse.failure(fileName+"不允许上传的文件");
+        }
         // 判断是否存在同名文件
         if (existsFile(fileName)) {
             return ReturnResponse.failure("存在同名文件，请先删除原有文件再次上传");
@@ -75,6 +84,8 @@ public class FileController {
         logger.info("上传文件：{}", fileDir + demoPath + fileName);
         try (InputStream in = file.getInputStream(); OutputStream out = Files.newOutputStream(Paths.get(fileDir + demoPath + fileName))) {
             StreamUtils.copy(in, out);
+            in.close();
+            out.close();
             return ReturnResponse.success(null);
         } catch (IOException e) {
             logger.error("文件上传失败", e);

server/src/main/java/cn/keking/web/filter/SecurityFilterProxy.java

@@ -19,7 +19,7 @@ public class SecurityFilterProxy extends OncePerRequestFilter {
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
                                     FilterChain filterChain) throws ServletException, IOException {
-        if((","+NOT_ALLOW_METHODS+",").indexOf(","+request.getMethod().toLowerCase()+",") > -1) {
+        if((","+NOT_ALLOW_METHODS+",").indexOf(","+request.getMethod().toUpperCase()+",") > -1) {
             response.setStatus(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
             response.setHeader("Content-Type", "text/html; charset=iso-8859-1");
             response.getWriter().println("Method Not Allowed");

server/src/main/resources/web/eml.ftl

@@ -6,6 +6,7 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, user-scalable=yes, initial-scale=1.0">
     <#include "*/commonHeader.ftl">
+  <script src="js/base64.min.js" type="text/javascript"></script>
 </head>
 	<#if currentUrl?contains("http://") || currentUrl?contains("https://") || currentUrl?contains("file://")>
     <#assign finalUrl="${currentUrl}">

server/src/main/resources/web/epub.ftl

@@ -6,6 +6,7 @@
     <meta charset="utf-8" />
     <meta name="viewport" content="width=device-width, user-scalable=yes, initial-scale=1.0">
     <#include "*/commonHeader.ftl">
+	     <script src="js/base64.min.js" type="text/javascript"></script>
    <script src="epub/epub.js"></script>
    <script src="js/jszip.min.js"></script>
   <link rel="stylesheet" type="text/css" href="epub/examples.css">

server/src/main/resources/web/index.ftl

@@ -238,6 +238,13 @@
 
         $("#btnSubmit").click(function () {
             var _fileName = $("#fileName").text()
+            var index= _fileName.lastIndexOf(".");
+            //获取后缀
+            var ext = _fileName.substr(index+1);
+             if (!ext || ext == "dll"|| ext == "exe"|| ext == "msi" ){
+             window.alert(ext+"不支持上传")
+            return ;
+        }
             if(!_fileName){
                 $("#postFileAlert").addClass("show");
                 window.setTimeout(function(){

server/src/main/resources/web/online3D.ftl

@@ -5,7 +5,9 @@
     <meta charset="utf-8"/>
     <meta name="viewport" content="width=device-width, user-scalable=yes, initial-scale=1.0">
     <title>${file.name}3D预览</title>
+	  <script src="js/base64.min.js" type="text/javascript"></script>
     <#include "*/commonHeader.ftl">
+	
 </head>
 	<#if currentUrl?contains("http://") || currentUrl?contains("https://") || currentUrl?contains("file://")>
     <#assign finalUrl="${currentUrl}">
@@ -22,8 +24,11 @@
     var baseUrl = '${baseUrl}'.endsWith('/') ? '${baseUrl}' : '${baseUrl}' + '/';
     if (!url.startsWith(baseUrl)) {
          url = baseUrl + 'getCorsFile?urlPath=' + encodeURIComponent(Base64.encode(url));
-    }
+		 document.getElementsByTagName('iframe')[0].src = "${baseUrl}website/index.html#model="+ url + "&fullfilename=/${file.name}";
+    }else{
 	document.getElementsByTagName('iframe')[0].src = "${baseUrl}website/index.html#model="+ url;
+	}
+	
     document.getElementsByTagName('iframe')[0].height = document.documentElement.clientHeight - 10;
     /**
      * 页面变化调整高度

server/src/main/resources/web/xmind.ftl

@@ -5,6 +5,7 @@
 <meta charset="utf-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no" />
 <#include "*/commonHeader.ftl">
+<script src="js/base64.min.js" type="text/javascript"></script>
 <#if currentUrl?contains("http://") || currentUrl?contains("https://")>
     <#assign finalUrl="${currentUrl}">
     <#elseif currentUrl?contains("ftp://") >