GTsoft/RuoYi-Vue-Plus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix 修复 有某些无聊人士 对一个demo案例提漏洞 CVE-2025-6925

Browse Source
This commit is contained in:
疯狂的狮子Li 2025-07-02 14:35:25 +08:00
parent 9775283a24
commit f29b787767
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java
View File

@ -44,11 +44,11 @@ public class MailController {
* @param to 接收人 * @param to 接收人
* @param subject 标题 * @param subject 标题
* @param text 内容 * @param text 内容
* @param filePath 附件路径
*/ */
@GetMapping("/sendMessageWithAttachment") @GetMapping("/sendMessageWithAttachment")
public R<Void> sendMessageWithAttachment(String to, String subject, String text, String filePath) { public R<Void> sendMessageWithAttachment(String to, String subject, String text) {
MailUtils.sendText(to, subject, text, new File(filePath)); // 附件路径 禁止前端传递 有任意读取系统文件风险
MailUtils.sendText(to, subject, text, new File("/xxx/xxx"));
return R.ok(); return R.ok();
} }
@ -58,10 +58,11 @@ public class MailController {
* @param to 接收人 * @param to 接收人
* @param subject 标题 * @param subject 标题
* @param text 内容 * @param text 内容
* @param paths 附件路径
*/ */
@GetMapping("/sendMessageWithAttachments") @GetMapping("/sendMessageWithAttachments")
public R<Void> sendMessageWithAttachments(String to, String subject, String text, String[] paths) { public R<Void> sendMessageWithAttachments(String to, String subject, String text) {
// 附件路径 禁止前端传递 有任意读取系统文件风险
String[] paths = new String[]{"/xxx/xxx", "/xxx/xxx"};
File[] array = Arrays.stream(paths).map(File::new).toArray(File[]::new); File[] array = Arrays.stream(paths).map(File::new).toArray(File[]::new);
MailUtils.sendText(to, subject, text, array); MailUtils.sendText(to, subject, text, array);
return R.ok(); return R.ok();