From 9fbe8d6ec4c832de48671c4dcb086a82b8fd4d24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A7=E7=81=B0=E7=81=B0?= <jianweie@163.com>
Date: Tue, 20 Aug 2024 12:05:29 +0800
Subject: [PATCH] =?UTF-8?q?=E3=80=90=E4=BC=98=E5=8C=96=E3=80=91=E5=89=8D?=
 =?UTF-8?q?=E7=AB=AF=E4=B8=8A=E4=BC=A0=E6=8E=A5=E5=8F=A3=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AE=E6=A0=A1=E9=AA=8C=EF=BC=8C=E9=98=B2=E6=AD=A2?=
 =?UTF-8?q?=E5=87=BA=E7=8E=B0=E6=81=B6=E6=84=8F=E6=8F=90=E4=BA=A4=E8=84=9A?=
 =?UTF-8?q?=E6=9C=AC=E6=95=B0=E6=8D=AE=E7=9A=84=E9=97=AE=E9=A2=98=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CoreCms.Net.Utility/Helper/CommonHelper.cs         | 14 ++++++++++++++
 .../Controllers/CommonController.cs                | 13 +++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/CoreCms.Net.Utility/Helper/CommonHelper.cs b/CoreCms.Net.Utility/Helper/CommonHelper.cs
index 3d16271..6415dc0 100644
--- a/CoreCms.Net.Utility/Helper/CommonHelper.cs
+++ b/CoreCms.Net.Utility/Helper/CommonHelper.cs
@@ -664,5 +664,19 @@ namespace CoreCms.Net.Utility.Helper
             return t;
         }
 
+        #region 检测提交的内容是否包含非法信息
+
+        /// <summary>
+        /// 检测提交的内容是否包含非法信息。
+        /// </summary>
+        /// <param name="inputData"></param>
+        /// <returns></returns>
+        public static bool CheckData(string inputData)
+        {
+            var strRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)";
+            return Regex.IsMatch(inputData, strRegex);
+        }
+        #endregion
+
     }
 }
diff --git a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
index 7c65aab..6fd0876 100644
--- a/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
+++ b/CoreCms.Net.Web.WebApi/Controllers/CommonController.cs
@@ -13,6 +13,7 @@ using System.Collections.Generic;
 using System.Globalization;
 using System.IO;
 using System.Linq;
+using System.Text;
 using System.Threading.Tasks;
 using Aliyun.OSS;
 using Aliyun.OSS.Util;
@@ -291,6 +292,18 @@ namespace CoreCms.Net.Web.WebApi.Controllers
                 return jm;
             }
 
+            // 使用StreamReader来读取文件内容  
+            using (var reader = new StreamReader(file.OpenReadStream(), Encoding.UTF8))
+            {
+                var content = await reader.ReadToEndAsync(); // 注意：这可能会消耗大量内存对于大文件，所以需要限制上传大小 
+                // 检查内容是否合法
+                if (CommonHelper.CheckData(content))
+                {
+                    jm.msg = "请勿提交非法数据。";
+                    return jm;
+                }
+            }
+
             string url = string.Empty;
             if (filesStorageOptions.StorageType == GlobalEnumVars.FilesStorageOptionsType.LocalStorage.ToString())
             {