« FCKeditor和TinyMCE比较 | Main | JDBC-ODBC不能打开注册表关键字 »

FCKeditor中开启图片和Flash上传后的安全问题

11:20下午 三月 17, 2008 in category 工作 by 肖俊峰

  如果你使用FCKeditor时,开启了图片和Flash上传,那么你就需要对安全进行限制,默认是没有权限控制的。现在让我们看看例子中的web.xml内容:

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
  "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app>
  <display-name>FCKeditor Test Application</display-name>
 
    <servlet>
        <servlet-name>Connector</servlet-name>
        <servlet-class>com.fredck.FCKeditor.connector.ConnectorServlet</servlet-class>
        <init-param>
            <param-name>baseDir</param-name>
            <param-value>/UserFiles/</param-value>
        </init-param>
        <init-param>
            <param-name>debug</param-name>
            <param-value>true</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

    <servlet>
        <servlet-name>SimpleUploader</servlet-name>
        <servlet-class>com.fredck.FCKeditor.uploader.SimpleUploaderServlet</servlet-class>
        <init-param>
            <param-name>baseDir</param-name>
            <param-value>/UserFiles/</param-value>
        </init-param>
        <init-param>
            <param-name>debug</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>enabled</param-name>
            <param-value>true</param-value>
        </init-param>
        <init-param>
            <param-name>AllowedExtensionsFile</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>DeniedExtensionsFile</param-name>
            <param-value>php|php3|php5|phtml|asp|aspx|ascx|jsp|cfm|cfc|pl|bat|exe|dll|reg|cgi</param-value>
        </init-param>
        <init-param>
            <param-name>AllowedExtensionsImage</param-name>
            <param-value>jpg|gif|jpeg|png|bmp</param-value>
        </init-param>
        <init-param>
            <param-name>DeniedExtensionsImage</param-name>
            <param-value></param-value>
        </init-param>
        <init-param>
            <param-name>AllowedExtensionsFlash</param-name>
            <param-value>swf|fla</param-value>
        </init-param>
        <init-param>
            <param-name>DeniedExtensionsFlash</param-name>
            <param-value></param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

  <servlet-mapping>
    <servlet-name>Connector</servlet-name>
    <url-pattern>/editor/filemanager/browser/default/connectors/jsp/connector</url-pattern>
  </servlet-mapping>
 
  <servlet-mapping>
    <servlet-name>SimpleUploader</servlet-name>
    <url-pattern>/editor/filemanager/upload/simpleuploader</url-pattern>
  </servlet-mapping> 

</web-app>

看了这个web.xml中的定义,你就知道文件的管理有两个url负责分别是/editor/filemanager/browser/default/connectors/jsp/connector和/editor/filemanager/upload/simpleuploader。我们就需要对它们的访问进行限制,我得方法是,添加了一个过滤器,只有授权用户才能访问它们。关于这个安全问题更完善的方法,以后再慢慢研究。

评论[0]

评论:

发表一条评论:
  • HTML语法: 启用