Shulou(Shulou.com)06/03 Report--

Editor to share with you how to verify the picture resources uploaded by users in SpringBoot, I believe most people do not know much about it, so share this article for your reference. I hope you will gain a lot after reading this article. Let's learn about it together.

Allowing users to upload picture resources (avatars, posts) is a common requirement of APP, especially the need to IO user resources to disk, need to prevent bad guys from submitting some illegal files, such as Trojans, webshell, executable programs and so on. This kind of illegal files will not only cause the failure of the display of image resources on the client side, but also bring security problems to the server.

Judge the validity of a file by its suffix

This approach is common and simple, and is currently chosen by most APP.

Public Object upload (@ RequestParam ("file") MultipartFile multipartFile) throws IllegalStateException, IOException {/ / original file name String fileName = multipartFile.getOriginalFilename (); / / resolve to the file suffix to determine whether it is legal int index = fileName.lastIndexOf ("."); String suffix = null If (index = =-1 | | (suffix = fileName.substring (index + 1)) .isEmpty () {return "File suffix cannot be empty";} / / list of file suffixes allowed to upload Set allowSuffix = new HashSet ("jpg", "jpeg", "png", "gif")) If (! allowSuffix.contains (suffix.toLowerCase () {return "illegal file, disallowed file type:" + suffix } / / serialized to the file upload directory on disk, the / upload / / FileCopyUtils.copy method automatically closes the stream resource FileCopyUtils.copy (multipartFile.getInputStream (), Files.newOutputStream (Paths.get ("D://upload", fileName), StandardOpenOption.CREATE_NEW)) / / returns the relative access path. The file name is most likely to contain characters such as Chinese characters or spaces, and encode return "/" + UriUtils.encode (fileName, StandardCharsets.UTF_8) with uri.} use ImageIO to determine whether it is an image.

This method is more strict, on the basis of judging the suffix, use Java's ImageIO class to load the picture and try to read its width and height information, if it is not a legitimate picture resource. These two data cannot be read. Even if the suffix of the illegal file is modified, it can be detected.

Public Object upload (@ RequestParam ("file") MultipartFile multipartFile) throws IllegalStateException, IOException {/ / original file name String fileName = multipartFile.getOriginalFilename (); / / resolves to the file suffix int index = fileName.lastIndexOf ("."); String suffix = null If (index = =-1 | | (suffix = fileName.substring (index + 1)) .isEmpty () {return "File suffix cannot be empty";} / / list of file suffixes allowed to upload Set allowSuffix = new HashSet ("jpg", "jpeg", "png", "gif")) If (! allowSuffix.contains (suffix.toLowerCase () {return "illegal file, not allowed file type:" + suffix;} / / temporary file File tempFile = new File (System.getProperty ("java.io.tmpdir"), fileName) Try {/ / serialize the file to the temporary directory multipartFile.transferTo (tempFile); try {/ / try the IO file to determine the validity of the file BufferedImage bufferedImage = ImageIO.read (tempFile); bufferedImage.getWidth () BufferedImage.getHeight ();} catch (Exception e) {/ / IO exception, not a valid image file, returned exception information return "file is not an image file" } / / copy to the upload directory FileCopyUtils.copy (new FileInputStream (tempFile), Files.newOutputStream (Paths.get ("D://upload", fileName), StandardOpenOption.CREATE_NEW); / / return the relative access path return "/" + UriUtils.encode (fileName, StandardCharsets.UTF_8) } finally {/ / after responding to the client, always delete the temporary file tempFile.delete ();}} above is all the content of the article "how to verify the image resources uploaded by users in SpringBoot". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.