DBNT
/
FAISP
9
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
FAISP/src/main/resources/static/Crosseditor/websource/jsp/FileUpload.jsp

590 lines
22 KiB
Plaintext
Raw Blame History

<%@page contentType="text/html;charset=utf-8" %>
<%@page import="java.io.*"%>
<%@page import="java.util.regex.PatternSyntaxException"%>
<%@page import="java.net.*"%>
<%@page import="java.util.List"%>
<%@page import="java.util.Iterator"%>
<%@page import="org.apache.commons.fileupload.servlet.ServletFileUpload"%>
<%@page import="org.apache.commons.fileupload.disk.DiskFileItemFactory"%>
<%@page import="org.apache.commons.fileupload.FileItem"%>
<%@page import="org.apache.commons.fileupload.FileUploadBase"%>
<%@page import="org.apache.commons.codec.binary.Base64"%>
<%@include file="Util.jsp"%>
<%@include file="SecurityTool.jsp"%>
<%@page import="java.util.Calendar"%>
<%--@include file="Vaccine.jsp"--%>
<%
/*
if(detectXSSEx(request.getParameter("licenseCheck")) != null){
if(detectXSSEx(request.getParameter("licenseCheck")).toLowerCase().equalsIgnoreCase("true")){
out.println(InetAddress.getLocalHost().getHostAddress());
return;
}
}
*/
boolean isMultipart = ServletFileUpload.isMultipartContent(request);
DiskFileItemFactory factory = null;
ServletFileUpload upload = null;
List items = null;
//try {
if (isMultipart) {
factory = new DiskFileItemFactory();
factory.setSizeThreshold(2 * 1024 * 1024);
upload = new ServletFileUpload(factory);
upload.setSizeMax(-1);
upload.setHeaderEncoding("utf-8");
items = upload.parseRequest(request);
}else{
response.getWriter().println("not encoding type multipart/form-data");
}
//} catch (Exception e) {
// response.getWriter().println("not encoding type multipart/form-data");
// return;
//}
String messageText = "";
int maxSize = Integer.parseInt(detectXSSEx(request.getParameter("fileSizeLimit")));
String defaultUPath = detectXSSEx(request.getParameter("defaultUPath"));
String imageUPath = detectXSSEx(request.getParameter("fileUPath"));
String protocol = "http://";
//if(request.isSecure()){
// protocol = "https://";
//}
String requestUrl = request.getRequestURL().toString();
if(requestUrl.indexOf("https://") == 0){
protocol = "https://";
}
String fileUPathHost = protocol + detectXSSEx(request.getHeader("host"));
String imagePhysicalPath = "";
String imageSubDirName = "";
String useExternalServer = detectXSSEx(request.getParameter("useExternalServer"));
String uploadFileExtBlockList = "";
//2018-11-20[4.2.0.12]vaccine로직 주석(수정된 빌드로 나갈 때 추가)
//String strVaccinePath = "";
%>
<%--@include file="VaccinePath.jsp"--%>
<%@include file="ImagePath.jsp"%>
<%@include file="UploadFileExtBlockList.jsp"%>
<%
String fileModify = "";
if ( detectXSSEx(request.getParameter("filemodify")) != null)
fileModify = detectXSSEx(request.getParameter("filemodify"));
String fileEditorFlag = "";
if ( detectXSSEx(request.getParameter("fileEditorFlag")) != null)
fileEditorFlag = detectXSSEx(request.getParameter("fileEditorFlag"));
String uploadFileSubDir = "";
if ( detectXSSEx(request.getParameter("uploadFileSubDir")) != null)
uploadFileSubDir = detectXSSEx(request.getParameter("uploadFileSubDir"));
String fileDomain = "";
if ( detectXSSEx(request.getParameter("fileDomain")) != null)
fileDomain = detectXSSEx(request.getParameter("fileDomain"));
/*
String useExternalServer = "";
if ( detectXSSEx(request.getParameter("useExternalServer")) != null)
useExternalServer = detectXSSEx(request.getParameter("useExternalServer"));
*/
String checkPlugin = "false";
String fileTemp = "";
String scriptValue = "";
String saveFolder = "";
String returnParam ="";
String ContextPath = request.getContextPath();
String fileSize = "";
String tempFileName = "";
boolean diFlag = false;
ServletContext context = getServletConfig().getServletContext();
if (!imageUPath.equalsIgnoreCase("")) {
if (imageUPath.length() > 7) {
if (imageUPath.substring(0, 7).equalsIgnoreCase("http://")) {
fileTemp = imageUPath.substring(7);
imageUPath = fileTemp.substring(fileTemp.indexOf("/"));
fileUPathHost = "http://" + fileTemp.substring(0, fileTemp.indexOf("/"));
}
else if (imageUPath.substring(0, 8).equalsIgnoreCase("https://")) {
fileTemp = imageUPath.substring(8);
imageUPath = fileTemp.substring(fileTemp.indexOf("/"));
fileUPathHost = "https://" + fileTemp.substring(0, fileTemp.indexOf("/"));
}
else if (!imageUPath.substring(0, 1).equalsIgnoreCase("/")) {
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
} else {
if (!imageUPath.substring(0, 1).equalsIgnoreCase("/")) {
scriptValue = executeFileScript(response, "invalid_path", "" , useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}
} else {
diFlag = true;
if (defaultUPath.length() > 7) {
if (defaultUPath.substring(0, 7).equalsIgnoreCase("http://")) {
fileTemp = defaultUPath.substring(7);
imageUPath = fileTemp.substring(fileTemp.indexOf("/"));
}
else if (defaultUPath.substring(0, 8).equalsIgnoreCase("https://")) {
fileTemp = defaultUPath.substring(8);
imageUPath = fileTemp.substring(fileTemp.indexOf("/"));
} else if (defaultUPath.substring(0, 1).equalsIgnoreCase("/"))
imageUPath = defaultUPath;
else {
scriptValue = executeFileScript(response, "invalid_path", "" , useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
} else {
if (defaultUPath.substring(0, 1).equalsIgnoreCase("/"))
imageUPath = defaultUPath;
else {
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}
}
if (imageUPath.length() > 0 && imageUPath.lastIndexOf("/") != imageUPath.length() - 1)
imageUPath = imageUPath + "/";
if (imagePhysicalPath.equalsIgnoreCase("")) {
String DompaserValue = dompaser(imageUPath);
if (DompaserValue.equalsIgnoreCase("")) {
imagePhysicalPath = context.getRealPath(imageUPath);
// 2013.08.26 [2.0.5.23] mwhong tomcat8.0
if(imagePhysicalPath == null && imageUPath != null && ContextPath != null){
imagePhysicalPath = context.getRealPath(imageUPath.substring(ContextPath.length()));
}
if (!ContextPath.equalsIgnoreCase("") && !ContextPath.equalsIgnoreCase("/")) {
File tempFileRealDIR = new File(imagePhysicalPath);
if (!tempFileRealDIR.exists()){
if (imageUPath.indexOf(ContextPath) != -1)
imagePhysicalPath = context.getRealPath(imageUPath.substring(ContextPath.length()));
}
}
}
else
imagePhysicalPath = DompaserValue;
}
File fileRealFolderWriteCheck = new File(imagePhysicalPath);
if (!fileRealFolderWriteCheck.exists()) {
scriptValue = executeFileScript(response, "invalid_path", "" , useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
if (!fileRealFolderWriteCheck.canWrite()) {
scriptValue = executeFileScript(response, "canWriteErr", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
if (imagePhysicalPath.length() > 0 && imagePhysicalPath.lastIndexOf(File.separator) != imagePhysicalPath.length() - 1)
imagePhysicalPath += File.separator;
String filePhysicalPathsubFolder = imagePhysicalPath;
File SaveSubFolder = new File(filePhysicalPathsubFolder + "upload");
if(!SaveSubFolder.exists()){
SaveSubFolder.setExecutable(false, true);
SaveSubFolder.setReadable(true);
SaveSubFolder.setWritable(false, true);
boolean returnRes = SaveSubFolder.mkdir();
if(returnRes == false && !SaveSubFolder.exists()){
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}
filePhysicalPathsubFolder += "upload" + File.separator;
File DeleteTempFolder = null;
try {
String tempFileFolder = "";
if (uploadFileSubDir.equalsIgnoreCase("false") && !imageUPath.equalsIgnoreCase(""))
tempFileFolder = tempFolderCreate(imagePhysicalPath);
else
tempFileFolder = imagePhysicalPath;
//boolean isMultipart = ServletFileUpload.isMultipartContent(request);
if (isMultipart) {
String realDir = filePhysicalPathsubFolder;
//DiskFileItemFactory factory = new DiskFileItemFactory();
//factory.setSizeThreshold(2 * 1024 * 1024);
//ServletFileUpload upload = new ServletFileUpload(factory);
//upload.setSizeMax(-1);
//upload.setHeaderEncoding("utf-8");
//List items = upload.parseRequest(request);
Iterator iter=items.iterator();
String fileMaxCount = "";
String fileTitle = "";
String fileId = "";
String fileClass = "";
String fileKind = "";
String fileTempFName = "";
String fileUNameType = "";
String editorFrame = "";
String filename = "";
String type = "";
while(iter.hasNext()){
FileItem fileItem = (FileItem) iter.next();
if(fileItem.isFormField()){
if( fileItem.getFieldName().equalsIgnoreCase("fileMaxCount") ) fileMaxCount = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileTitle") ) fileTitle = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileId") ) fileId = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileClass") ) fileClass = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileKind") ) fileKind = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileTempFName") ) fileTempFName = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("fileUNameType") ) fileUNameType = detectXSSEx(toString(fileItem.getString("utf-8")));
if( fileItem.getFieldName().equalsIgnoreCase("editorFrame") ) editorFrame = detectXSSEx(toString(fileItem.getString("utf-8")));
} else {
if(fileItem.getSize()>0) {
fileSize = Long.toString(fileItem.getSize());
if(fileItem.getSize() > maxSize){
scriptValue = executeFileScript(response, "invalid_size", Integer.toString(maxSize), useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
filename = fileItem.getName();
//filename = detectXSSEx(filename);
filename = detectXSSEx2(filename);
if (filename.lastIndexOf("\\") != -1) {
filename = filename.substring(filename.lastIndexOf("\\"), filename.length());
}
type = fileItem.getContentType();
if (filename.toLowerCase().indexOf(".") == -1 || filename.toLowerCase().indexOf(".jar") != -1 || filename.toLowerCase().indexOf(".war") != -1 || filename.toLowerCase().indexOf(".jsp") != -1 || filename.toLowerCase().indexOf(".jspx") != -1 || filename.toLowerCase().indexOf(".js") != -1 || filename.toLowerCase().indexOf(".html") != -1 || filename.toLowerCase().indexOf(".htm") != -1) {
//scriptValue = executeFileScript(response, "fail_image", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
//scriptValue = executeFileScript(response, "invalid_file", "prohibited : jsp, js, html, htm", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
// [4.0.0.22] [한국인터넷진흥원 보안 취약점] 제한된 확장자 목록 alert에 보이지 않도록 처리
//scriptValue = executeFileScript(response, "fail_image", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
scriptValue = executeFileScript(response, "UploadFileExtBlock", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
try{
tempFileName = filename;
File uploadedFile = new File(realDir + tempFileName);
if(uploadedFile.exists()){
tempFileName = fileNameTimeSetting();
uploadedFile = new File(realDir,tempFileName);
}
//File uploadedFile=new File(realDir,filename);
fileItem.write(uploadedFile);
fileItem.delete();
DeleteTempFolder = uploadedFile;
}catch(IOException ex) {
//System.out.println("An internal exception occured!");
messageText = "upload fail";
}
}
}
}
String fileTempName = "";
String fileKindSubFolder = "";
fileKindSubFolder = "files";
if (fileUNameType.equalsIgnoreCase("real"))
fileTempName = filename.substring(0, filename.lastIndexOf("."));
else if(fileUNameType.equalsIgnoreCase("random"))
fileTempName = fileNameTimeSetting();
else {
//fileTempName = fileTempFName;
fileTempName = filename.substring(0, filename.lastIndexOf("."));
//sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
//byte[] keyByte = fileTempName.getBytes("utf-8");
//fileTempName = encoder.encode(keyByte);
//라이브러리 추가 요함 -> https://commons.apache.org/proper/commons-codec/download_codec.cgi
byte[] encoded = Base64.encodeBase64(fileTempName.getBytes());
fileTempName = new String(encoded, "ISO-8859-1");
if (fileTempName.indexOf("/") != -1)
fileTempName = fileTempName.replaceAll("/", "==NamOSeSlaSH==");
}
String realFileName = fileTempName.replace(' ', '_');
String fileCheck =filename.substring(filename.lastIndexOf(".") + 1).toLowerCase();
fileCheck = detectXSSEx(fileCheck);
if(uploadFileExtBlockList.length() > 0 && !isArray(uploadFileExtBlockList, fileCheck)){
scriptValue = executeFileScript(response, "UploadFileExtBlock", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
/*
if (!isImageValid("file", fileCheck)) {
if(uploadFileSubDir.equalsIgnoreCase("false") && !imageUPath.equalsIgnoreCase(""))
tempFolderDelete(tempFileFolder);
scriptValue = executeFileScript(response, "invalid_file", getImageKind("file"), useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
*/
Calendar cal = Calendar.getInstance();
String year = Integer.toString(cal.get(Calendar.YEAR));
String month = Integer.toString(cal.get(Calendar.MONTH)+1);
String day = Integer.toString(cal.get(Calendar.DAY_OF_MONTH));
String sPath = "";
if(month.length() == 1)
month = "0" + month;
if(day.length() == 1)
day = "0" + day;
if(uploadFileSubDir.equalsIgnoreCase("false")) {
if(imageSubDirName != "")
imagePhysicalPath += "data" + File.separator;
File fileSaveSubFolder = new File(imagePhysicalPath);
synchronized (this){
if(!fileSaveSubFolder.exists()){
fileSaveSubFolder.setExecutable(false, true);
fileSaveSubFolder.setReadable(true);
fileSaveSubFolder.setWritable(false, true);
boolean returnRes = fileSaveSubFolder.mkdirs();
if(returnRes == false){
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}
}
if(imageSubDirName != ""){
sPath = year + File.separator + month + File.separator + day + File.separator + imageSubDirName;
imagePhysicalPath += sPath + File.separator;
File folderPath = new File(imagePhysicalPath);
synchronized (this){
if(!folderPath.exists()){
try{
folderPath.setExecutable(false, true);
folderPath.setReadable(true);
folderPath.setWritable(false, true);
folderPath.mkdirs();
}catch(Exception e){
e.getStackTrace();
}
}
}
}
} else {
if(imageSubDirName != "")
imagePhysicalPath += "data" + File.separator;
File fileSaveSubFolder = new File(imagePhysicalPath + fileKindSubFolder);
synchronized (this){
if(!fileSaveSubFolder.exists()){
fileSaveSubFolder.setExecutable(false, true);
fileSaveSubFolder.setReadable(true);
fileSaveSubFolder.setWritable(false, true);
boolean returnRes = fileSaveSubFolder.mkdirs();
if(returnRes == false){
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}
}
imagePhysicalPath += fileKindSubFolder + File.separator;
if(imageSubDirName != ""){
sPath = year + File.separator + month + File.separator + day + File.separator + imageSubDirName;
imagePhysicalPath += sPath + File.separator;
File folderPath = new File(imagePhysicalPath);
synchronized (this){
if(!folderPath.exists()){
try{
folderPath.setExecutable(false, true);
folderPath.setReadable(true);
folderPath.setWritable(false, true);
folderPath.mkdirs();
}catch(Exception e){
e.getStackTrace();
}
}
}
}
saveFolder = getChildDirectory(imagePhysicalPath, fileMaxCount);
if (saveFolder.equalsIgnoreCase("")) {
if(uploadFileSubDir.equalsIgnoreCase("false") && !imageUPath.equalsIgnoreCase("")){
boolean returnRes = tempFolderDelete(tempFileFolder);
if(returnRes == false){
messageText = "delete fail";
}
}
scriptValue = executeFileScript(response, "invalid_path", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
} else
imagePhysicalPath += saveFolder;
}
realFileName = realFileName.replace('\\', ' ').trim();
String filenamecheck = checkFileUniqueName(realFileName, imagePhysicalPath, fileCheck);
String imgLinkParams = "";
String urlFilePath = fileUPathHost + imageUPath;
if(uploadFileSubDir.equalsIgnoreCase("false")) {
if(imageSubDirName != "")
urlFilePath += "data" + File.separator + sPath + File.separator;
} else{
if(imageSubDirName != "")
urlFilePath += "data" + File.separator + fileKindSubFolder + File.separator + sPath + File.separator + saveFolder + File.separator;
else
urlFilePath += fileKindSubFolder + File.separator + saveFolder + File.separator;
}
urlFilePath = urlFilePath.replace('\\', '/');
filenamecheck = filenamecheck.replace('\\', ' ').trim();
urlFilePath += filenamecheck;
imgLinkParams = urlFilePath;
if (fileTitle == null)
fileTitle ="";
if (fileId == null)
fileId ="";
if (fileClass == null)
fileClass = "";
if (editorFrame == null)
editorFrame = "";
if (fileSize == null)
fileSize = "";
returnParam = "{";
//returnParam += "\"fileURL\":\"" + urlFilePath.replaceAll("'", "\\\\\"") + "\",";
returnParam += "\"fileURL\":\"" + urlFilePath + "\",";
returnParam += "\"fileTitle\":\"" + fileTitle + "\",";
returnParam += "\"fileId\":\"" + fileId + "\",";
returnParam += "\"fileClass\":\"" + fileClass + "\",";
returnParam += "\"fileKind\":\"" + fileKind + "\",";
returnParam += "\"fileType\":\"" + fileCheck + "\",";
returnParam += "\"fileSize\":\"" + fileSize + "\",";
if (fileModify.equalsIgnoreCase("true"))
returnParam += "\"fileModify\":\"true\",";
returnParam += "\"editorFrame\":\"" + editorFrame + "\"";
returnParam += "}";
String moveFilePath = imagePhysicalPath + File.separator + filenamecheck;
int check = fileCopy(filePhysicalPathsubFolder + tempFileName, moveFilePath);
if(DeleteTempFolder != null){
boolean returnRes = DeleteTempFolder.delete();
if(returnRes == false){
messageText = "delete fail";
}
}
if (check == 1) {
//2018-11-20[4.2.0.12]vaccine로직 주석(수정된 빌드로 나갈 때 추가)
/*
if (strVaccinePath.length() <= 0) {
strVaccinePath = imagePhysicalPath + "/../../../vse";
}
String strName = checkVirusFile (moveFilePath, imagePhysicalPath + File.separator, strVaccinePath);
*/
if(uploadFileSubDir.equalsIgnoreCase("false") && !imageUPath.equalsIgnoreCase("")){
boolean returnRes = tempFolderDelete(tempFileFolder);
if(returnRes == false){
messageText = "delete fail";
}
}
if (SaveSubFolder.exists()){
boolean returnRes = SaveSubFolder.delete();
if(returnRes == false){
messageText = "delete fail";
}
}
//2018-11-20[4.2.0.12]vaccine로직 주석(수정된 빌드로 나갈 때 추가)
/*
if (strName.length() > 0) {
String msg = "found virus (";
msg += strName + ")";
scriptValue = executeFileScript(response, "virus", msg, useExternalServer, fileDomain, fileEditorFlag, "false");
response.getWriter().println(scriptValue);
return;
}
*/
scriptValue = executeFileScript(response, "success", returnParam, useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
} else {
if(uploadFileSubDir.equalsIgnoreCase("false") && !imageUPath.equalsIgnoreCase("")){
boolean returnRes = tempFolderDelete(tempFileFolder);
if(returnRes == false){
messageText = "delete fail";
}
}
scriptValue = executeFileScript(response, "fileCopyFail", "", useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
}else{
response.getWriter().println("not encoding type multipart/form-data");
}
} catch (IOException ioe) {
scriptValue = executeFileScript(response, "invalid_size", Integer.toString(maxSize), useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
} catch (org.apache.commons.fileupload.FileUploadBase.SizeLimitExceededException e) {
scriptValue = executeFileScript(response, "invalid_size", Integer.toString(maxSize), useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
} catch (RuntimeException e) {
messageText += "RuntimeException";
messageText = "<System Error>" + messageText;
scriptValue = executeFileScript(response, "", messageText, useExternalServer, fileDomain, fileEditorFlag, checkPlugin);
response.getWriter().println(scriptValue);
return;
}
%>
Reference in New Issue View Git Blame Copy Permalink