UserResourceUpload.jsp
3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
<%@ page contentType="text/html; charset=UTF-8"%>
<%@ page import="java.io.*"%>
<%@ page import="weaver.hrm.*"%>
<%@page import="weaver.general.*"%>
<%@page import="weaver.file.FileType"%>
<%@ page import="java.net.URLDecoder" %>
<%!
private boolean validateFileExt(String filename){
if(filename==null)return false;
if(filename.indexOf(".")!=filename.lastIndexOf(".")){
return false;
}
String[] allowTypes = new String[]{".jpg",".jpeg",".gif",".ico",".bmp",".png",".flv",".mp3",".swf",".mp4",".wmv"};
if(filename!=null && allowTypes!=null){
for(int i=0;i<allowTypes.length;i++){
if(filename.toLowerCase().endsWith(allowTypes[i].toLowerCase())){
return true;
}
}
return false;
}else{
return false;
}
}
%>
<%
User user = HrmUserVarify.getUser (request , response) ;
if(user==null)return;
String dir = Util.null2String(request.getParameter("dir"));
if(!(dir.startsWith("/page/resource/userfile")||dir.startsWith("page/resource/userfile"))){
out.println("error");
return;
}
if(URLDecoder.decode(dir).contains("..")){
out.println("error");
return;
}
String rootPath;
DataInputStream in = null;
FileOutputStream fileOut = null;
String realPath = GCONST.getRootPath();
rootPath = realPath + dir;
String contentType = request.getContentType();
try {
if (contentType.indexOf("multipart/form-data") >= 0) {
in = new DataInputStream(request.getInputStream());
int formDataLength = request.getContentLength();
byte dataBytes[] = new byte[formDataLength];
int byteRead = 0;
int totalBytesRead = 0;
while (totalBytesRead < formDataLength) {
byteRead = in.read(dataBytes, totalBytesRead,
formDataLength);
totalBytesRead += byteRead;
}
String file = new String(dataBytes);
String saveFile = file.substring(file.indexOf("filename=\"") + 10);
saveFile = saveFile.substring(0, saveFile.indexOf("\n"));
saveFile = saveFile.substring(
saveFile.lastIndexOf("\\") + 1, saveFile.indexOf("\""));
int lastIndex = contentType.lastIndexOf("=");
String boundary = contentType.substring(lastIndex + 1,
contentType.length());
String fileName = rootPath + saveFile;
fileName = fileName.replaceAll("%00","").replaceAll("%","").replaceAll("\0","");
if(!validateFileExt(fileName)) return;
if(Util.isExcuteFile(fileName)) return;
int pos;
pos = file.indexOf("filename=\"");
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
pos = file.indexOf("\n", pos) + 1;
int boundaryLocation = file.indexOf(boundary, pos)-4;
int startPos = ((file.substring(0, pos)).getBytes()).length;
File checkFile = new File(fileName);
if (checkFile.exists()) {
return;
}
File fileDir = new File(rootPath);
if (!fileDir.exists()) {
fileDir.mkdirs();
}
int endLength= file.substring(boundaryLocation,file.length()).getBytes().length;
try{
//System.out.println(startPos+"::"+dataBytes.length+"::"+"::"+(dataBytes.length-startPos-endLength));
byte fileBytes[] = new byte[dataBytes.length-startPos-endLength];
System.arraycopy(dataBytes, startPos, fileBytes, 0, dataBytes.length-startPos-endLength);
String fileType = FileType.getFileTypeByByte(fileBytes);
//System.out.println("fileType:::"+fileType);
if(validateFileExt(fileType)){
fileOut = new FileOutputStream(fileName);
fileOut.write(dataBytes, startPos,dataBytes.length-startPos-endLength);
}else{
out.println("file type is not valid!");
}
}catch(Exception e){
e.printStackTrace();
}finally{
try{
if(fileOut!=null)
fileOut.close();
if(in!=null)
in.close();
}catch(Exception e){}
}
} else {
String content = request.getContentType();
}
} catch (Exception ex) {
throw new ServletException(ex.getMessage());
}
%>