From 1f068377a493de7659e154d3d926114c9af7d569 Mon Sep 17 00:00:00 2001
From: Nrtp <niwk.tsui@qq.com>
Date: Thu, 27 Oct 2022 21:17:37 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8Dssrf=E6=BC=8F=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Nrtp <niwk.tsui@qq.com>
---
 .../com/cskefu/cc/controller/resource/MediaController.java    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/contact-center/app/src/main/java/com/cskefu/cc/controller/resource/MediaController.java b/contact-center/app/src/main/java/com/cskefu/cc/controller/resource/MediaController.java
index 3444daa9..65352ee1 100644
--- a/contact-center/app/src/main/java/com/cskefu/cc/controller/resource/MediaController.java
+++ b/contact-center/app/src/main/java/com/cskefu/cc/controller/resource/MediaController.java
@@ -44,6 +44,7 @@ import org.springframework.web.multipart.MultipartFile;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.validation.Valid;
+import java.util.regex.Pattern;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
@@ -100,6 +101,9 @@ public class MediaController extends Handler {
         if (StringUtils.isBlank(url)) {
             return;
         }
+        if(!Pattern.matches("^https?://.*/.*$", url)) { //只允许http/https协议
+            return;
+        }
         byte[] data = new byte[1024];
         int length = 0;
         OutputStream out = response.getOutputStream();