Comments (5)
此功能是通过以下方式实现的,可以通过过滤器进行拦截,或者使用其它方式实现文件访问,例如Nginx
public class FileStorageAutoConfiguration implements WebMvcConfigurer {
/**
* 配置本地存储的访问地址
*/
@Override
public void addResourceHandlers(ResourceHandlerRegistry registry) {
for (FileStorageProperties.Local local : properties.getLocal()) {
if (local.getEnableAccess()) {
registry.addResourceHandler(local.getPathPatterns()).addResourceLocations("file:" + local.getBasePath());
}
}
for (FileStorageProperties.LocalPlus local : properties.getLocalPlus()) {
if (local.getEnableAccess()) {
registry.addResourceHandler(local.getPathPatterns()).addResourceLocations("file:" + local.getStoragePath());
}
}
}
}
from x-file-storage.
上面有误, 不能通过特定url任意访问机器内所有文件,但是可以无视base-path访问storage-path内的所有文件,建议addResourceLocations时将local.getStoragePath()+local.getBasePath()添加进去解决。
但是 FileStorageService 的实现类LocalPlusFileStorage和LocalFileStorage依然有这样的漏洞,如果传入非法url将导致能够操作任意路径文件,建议在拼接路径后做一次判断,下面有个例子可以参考下:
from x-file-storage.
好的,感谢你的建议,我会在新版本中处理相关问题
from x-file-storage.
针对现有版本,可以查看文档,通过切面进行拦截处理
from x-file-storage.
由于工作较忙,目前新版本才接近尾声
这个 本地 base-patn 和 本地升级版本 storage-path 其实就相对于对象存储的 bucket-name ,本地升级版本 base-path 和 对象存储中的 base-path 作用一致,只是用于一个存储平台通过路径区分不同的项目,并没有隔离访问的功能,只有本地升级版会这样,应该是没什么问题的
要想避免这个情况,有以下两个办法:
1、把 base-path 写在 storage-path 中
2、通过 自定义拦截器 或 Nginx 等过滤
from x-file-storage.
Related Issues (20)
- 如何删除某个文件夹及下面的所有文件呢,没找到文档。 HOT 5
- 2.1.0版本若实现FileRecorder上传文件(url形式)无法拿到上传后的FileInfo
- download方法只能下载通过FileRecorder存入数据库中的文件吗 HOT 5
- 上传文件返回的URL中没有bucket路径 HOT 4
- 前端获取大文件上传进度 HOT 5
- 视频上传速度太慢 HOT 1
- 未能重置输入流 HOT 4
- 文件多大会自动分片,可以设置阈值吗,30M的文件可以自动分片吗,因为会同时有好多人上传视频,感觉有点慢 HOT 4
- 直接上传报错 HOT 30
- 请问为什么静态资源处理器fileStorageWebMvcConfigurer不起作用呢? HOT 14
- FTP图片上传OSS图片处理失败 HOT 3
- 是否支持批量上传 HOT 3
- 将来会支持git吗(如gitee/github)? HOT 1
- Handler dispatch failed; nested exception is java.lang.NoSuchMethodError: org.dromara.x.file.storage.core.FileStorageService.of(Ljava/lang/Object;)Lorg/dromara/x/file/storage/core/UploadPretreatment HOT 2
- 有计划适配GoFastDfs吗 HOT 4
- 升级 hutool 版本 HOT 1
- 路径中存在双斜线 HOT 1
- 大文件下载卡主不动 HOT 9
- 分片上传数据失败 HOT 2
- 视频预览图 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from x-file-storage.