hai 1 mes · d1dbcc9948
--- a/routers/api/upload_file/__init__.py
+++ b/routers/api/upload_file/__init__.py
@@ -34,7 +34,8 @@ async def upload_img(
 
				         db: Session = Depends(get_db), dependencies=Depends(valid_access_token_role)
			
 
				 ):
			
 
				     file_name = file.filename
			
 
				-
			
 
				+    if '../' in file_name or '/' in file_name:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：禁止篡改文件路径'})
			
 
				     # 文件后续名校验
			
 
				     suffix = os.path.splitext(file_name)[-1]
			
 
				     if suffix.lower() not in ['.png', '.jpg', '.jpeg']:
			
@@ -72,6 +73,8 @@ async def get_poster_by_id(
 
				         id: str,
			
 
				         db: Session = Depends(get_db)
			
 
				 ):
			
 
				+    if '../' in id or '/' in id:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：禁止下载文件'})
			
 
				     image_filepath = os.path.abspath(os.path.join(UPLOAD_IMAGE_PATH+'poster/', id )) #+ ".png"
			
 
				     # print(image_filepath)
			
 
				     if os.path.exists(image_filepath) == False:
			
@@ -91,12 +94,17 @@ async def get_poster_by_id(
 
				 async def upload_big_file(        request: Request,
			
 
				                                   file: UploadFile = File(...),
			
 
				                                   chunknumber: str = Query(''),
			
 
				-                                  identifier: str = Query(''), dependencies=Depends(valid_access_token_role)):  # 分片上传文件【用唯一标志符+分片序号】作为文件名
			
 
				+                                  identifier: str = Query(''), user_id=Depends(valid_access_token)):  # 分片上传文件【用唯一标志符+分片序号】作为文件名
			
 
				+    if user_id == False:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：未登录禁止上传文件'})
			
 
				     if not file:
			
 
				         raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="文件字段缺失")
			
 
				+
			
 
				     if len(chunknumber) == 0 or len(identifier) == 0:
			
 
				         return {"eroor": "没有传递相关参数"}
			
 
				     # print(1111)
			
 
				+    if '/' in chunknumber or '/' in  identifier:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：禁止篡改文件路径'})
			
 
				     task = identifier  # 获取文件唯一标识符
			
 
				     chunk = chunknumber  # 获取该分片在所有分片中的序号【客户端设定】
			
 
				     filename = '%s%s' % (task, chunk)  # 构成该分片唯一标识符
			
@@ -116,10 +124,17 @@ async def upload_big_file(        request: Request,
 
				 @router.post("/upload/mergefile")
			
 
				 async def mergefile(identifier: str = Query(''),
			
 
				                     filename: str = Query(''),
			
 
				-                    chunkstar: int = Query(0), dependencies=[Depends(valid_access_token_role)]):  # 根据唯一标识符合并文件
			
 
				+                    chunkstar: int = Query(0), user_id=Depends(valid_access_token)):  # 根据唯一标识符合并文件
			
 
				+    if user_id == False:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：未登录禁止上传文件'})
			
 
				+    if '../' in filename or '/' in filename:
			
 
				+        return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：禁止篡改文件路径'})
			
 
				     if len(filename) == 0 or len(identifier) == 0:
			
 
				         return {"eroor": "没有传递相关参数"}
			
 
				+
			
 
				     suffix = os.path.splitext(filename)[-1]
			
 
				+    if suffix.lower() not in ['.png', '.jpg', '.jpeg','.doc','.docx','.xlx','.xlsx','.pdf','.mp3','.mp4']:
			
 
				+        return JSONResponse(status_code=500, content={'code': 500, "msg": '警告：文件拓展名不在白名单中'})
			
 
				     filename = new_guid() + suffix.lower()
			
 
				     target_filename = filename  # 获取上传文件的文件名【保存的文件名】
			
 
				     task = identifier  # 获取文件的唯一标识符
			
@@ -155,18 +170,22 @@ async def mergefile(identifier: str = Query(''),
 
				 
			
 
				 
			
 
				 @router.get("/download/{filename}")
			
 
				-async def download_file(filename: str,filenameDesc: str = None, dependencies=[Depends(valid_access_token_role)]):
			
 
				+async def download_file(filename: str,filenameDesc: str = None, user_id=Depends(valid_access_token)):
			
 
				     """
			
 
				     根据提供的文件名下载文件。
			
 
				     :param filename: 要下载的文件的名称。
			
 
				     """
			
 
				     try:
			
 
				+        if user_id == False:
			
 
				+            return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：未登录禁止下载文件'})
			
 
				         # 构造文件的完整路径
			
 
				+        if '../' in filename or '/' in filename:
			
 
				+            return JSONResponse(status_code=404, content={'code': 404, "msg": '警告：禁止跨路径下载文件'})
			
 
				         file_path = os.path.join(UPLOAD_mergefile_PATH, 'uploads/', filename)
			
 
				 
			
 
				         # 检查文件是否存在
			
 
				         if not os.path.isfile(file_path):
			
 
				-            raise HTTPException(status_code=404, detail="文件未找到")
			
 
				+            return JSONResponse(status_code=404, content={'code': 404, "msg": "文件未找到"})
			
 
				 
			
 
				         if not filenameDesc:
			
 
				             filenameDesc = filename
			
@@ -186,4 +205,4 @@ async def download_file(filename: str,filenameDesc: str = None, dependencies=[De
 
				         raise e
			
 
				     except Exception as e:
			
 
				         # 处理其他异常情况
			
 
				-        raise HTTPException(status_code=500, detail=str(e))
			
 
				+        return JSONResponse(status_code=500, content={'code': 500, "msg": '发生错误，请联系运维人员'})