1、校验附件上传名称规范(比如带js脚本的不通过)；2、默认启用cookie的httpOnly属性；3、限制默认可上传的附件类型；4、限制file模块、bb...

1、校验附件上传名称规范(比如带js脚本的不通过)；2、默认启用cookie的httpOnly属性；3、限制默认可上传的附件类型；4、限制file模块、bbs模块、会议管理模块附件上传大小和类型；5、后端脚本禁用FileWright和System类使用

1、校验附件上传名称规范(比如带js脚本的不通过)；2、默认启用cookie的httpOnly属性；3、限制默认可上传的附件类型；4、限制file模块、bb...
1、校验附件上传名称规范(比如带js脚本的不通过)；2、默认启用cookie的httpOnly属性；3、限制默认可上传的附件类型；4、限制file模块、bbs模块、会议管理模块附件上传大小和类型；5、后端脚本禁用FileWright和System类使用
ea1fefc3 · o2sword · 06c6a0fb · ea1fefc3 · ea1fefc3 · ea1fefc3
28 changed file
--- a/o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/General.java
+++ b/o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/General.java
 package com.x.base.core.project.config;

 import java.io.File;
+import java.io.FileWriter;
 import java.nio.file.Path;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.List;

 import org.apache.commons.io.FileUtils;
@@ -21,7 +23,8 @@ public class General extends ConfigObject {
    private static final Boolean DEFAULT_WEBSOCKETENABLE = true;
    private static final Boolean DEFAULT_CONFIGAPIENABLE = true;
    private static final List<String> DEFAULT_SCRIPTINGBLOCKEDCLASSES = Arrays.asList(Runtime.class.getName(),
-            File.class.getName(), Path.class.getName(), java.lang.ProcessBuilder.class.getName());
+            File.class.getName(), Path.class.getName(), java.lang.ProcessBuilder.class.getName(),
+            FileWriter.class.getName(), java.lang.System.class.getName());
    private static final Boolean DEFAULT_REQUESTLOGENABLE = false;
    private static final Integer DEFAULT_REQUESTLOGRETAINDAYS = 7;
    private static final Boolean DEFAULT_REQUESTLOGBODYENABLE = false;
@@ -180,10 +183,11 @@ public class General extends ConfigObject {
        private Integer fileSize = DEFAULT_FILE_SIZE;

        @FieldDescribe("只允许上传的文件后缀")
-        private List<String> fileTypeIncludes = new ArrayList<>();
+        private List<String> fileTypeIncludes = Arrays.asList("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf",
+                "xapp", "text", "zip", "rar", "mp3", "mp4", "png", "jpg", "gif");

        @FieldDescribe("不允许上传的文件后缀")
-        private List<String> fileTypeExcludes = Arrays.asList("jsp", "exe", "sh", "tmp", "html", "htm", "xhtml");
+        private List<String> fileTypeExcludes = Collections.EMPTY_LIST;

        public Integer getFileSize() {
            return fileSize;

--- a/o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/Person.java
+++ b/o2server/x_base_core_project/src/main/java/com/x/base/core/project/config/Person.java
@@ -42,7 +42,7 @@ public class Person extends ConfigObject {
 	public static final Integer DEFAULT_FAILUREINTERVAL = 10;
 	public static final Integer DEFAULT_FAILURECOUNT = 5;
 	public static final Integer DEFAULT_TOKENEXPIREDMINUTES = 60 * 24 * 15;
-	public static final Boolean DEFAULT_TOKENCOOKIEHTTPONLY = false;
+	public static final Boolean DEFAULT_TOKENCOOKIEHTTPONLY = true;

 	public static final String DEFAULT_PASSWORDREGEX = "((?=.*\\d)(?=.*\\D)|(?=.*[a-zA-Z])(?=.*[^a-zA-Z]))^.{6,}$";
 	public static final String DEFAULT_PASSWORDREGEXHINT = "6位以上,包含数字和字母.";

--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ExceptionAttachmentInvalid.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ExceptionAttachmentInvalid.java
-package com.x.cms.assemble.control.jaxrs.fileinfo;
+package com.x.base.core.project.exception;

-import com.x.base.core.project.exception.PromptException;
-
-class ExceptionAttachmentInvalid extends PromptException {
+public class ExceptionAttachmentInvalid extends PromptException {

 	private static final long serialVersionUID = 3232548525722242208L;

 	public static String defaultMessage = "附件:{}, 不符合上传类型.";

-	ExceptionAttachmentInvalid(String fileName) {
+	public ExceptionAttachmentInvalid(String fileName) {
 		super(defaultMessage, fileName);
 	}

-	ExceptionAttachmentInvalid(String fileName, Integer fileSize) {
+	public ExceptionAttachmentInvalid(String fileName, Integer fileSize) {
 		super("附件:{},附件大小超过限制{}M.", fileName, fileSize);
 	}


--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ExceptionAttachmentInvalidCallback.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ExceptionAttachmentInvalidCallback.java
-package com.x.cms.assemble.control.jaxrs.fileinfo;
+package com.x.base.core.project.exception;

-import com.x.base.core.project.exception.PromptException;
-
-class ExceptionAttachmentInvalidCallback extends PromptException {
+public class ExceptionAttachmentInvalidCallback extends PromptException {

 	private static final long serialVersionUID = 8275405268546054638L;

-	ExceptionAttachmentInvalidCallback(String callbackName, String fileName) {
+	public ExceptionAttachmentInvalidCallback(String callbackName, String fileName) {
 		super(callbackName, "附件:{}, 不符合上传类型.", fileName);
 	}

-	ExceptionAttachmentInvalidCallback(String callbackName, String fileName, Integer fileSize) {
+	public ExceptionAttachmentInvalidCallback(String callbackName, String fileName, Integer fileSize) {
 		super(callbackName, "附件:{},附件大小超过限制{}M.", fileName, fileSize);
 	}


--- a/o2server/x_base_core_project/src/main/java/com/x/base/core/project/exception/ExceptionFileNameInvalid.java
+++ b/o2server/x_base_core_project/src/main/java/com/x/base/core/project/exception/ExceptionFileNameInvalid.java
+package com.x.base.core.project.exception;
+
+/**
+ * @author sword
+ */
+public class ExceptionFileNameInvalid extends PromptException {
+
+	private static final long serialVersionUID = -283505161497831794L;
+
+	public ExceptionFileNameInvalid(String str) {
+		super("附件名称:{},不合规.", str);
+	}
+}
--- a/o2server/x_base_core_project/src/main/java/com/x/base/core/project/tools/FileTools.java
+++ b/o2server/x_base_core_project/src/main/java/com/x/base/core/project/tools/FileTools.java
@@ -7,11 +7,19 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

+import com.x.base.core.project.config.Config;
+import com.x.base.core.project.exception.ExceptionAttachmentInvalid;
+import com.x.base.core.project.exception.ExceptionAttachmentInvalidCallback;
+import com.x.base.core.project.exception.ExceptionFileNameInvalid;
 import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;

 import com.x.base.core.project.gson.GsonPropertyObject;

+/**
+ * @author sword
+ */
 public class FileTools {

 	public static String parent(String path) {
@@ -25,7 +33,7 @@ public class FileTools {

 	/**
 	 * 创建目录-递归父级
-	 * 
+	 *
 	 * @param dist
 	 * @throws Exception
 	 */
@@ -39,7 +47,7 @@ public class FileTools {

 	/**
 	 * 获取文件夹下所有的文件 + 模糊查询（当不需要模糊查询时，queryStr传空或null即可）
-	 * 
+	 *
 	 * @param folderPath 路径
 	 * @param queryStr   模糊查询字符串
 	 * @return
@@ -148,4 +156,45 @@ public class FileTools {
 		return name;
 	}

+	/**
+	 * 判断附件是否符合大小、文件类型的约束
+	 *
+	 * @param size
+	 * @param fileName
+	 * @param callback
+	 * @throws Exception
+	 */
+	public static void verifyConstraint(long size, String fileName, String callback) throws Exception {
+		if(!StringTools.isFileName(fileName)){
+			throw new ExceptionFileNameInvalid(fileName);
+		}
+		if (Config.general().getAttachmentConfig().getFileSize() != null && Config.general().getAttachmentConfig().getFileSize() > 0) {
+			size = size / (1024 * 1024);
+			if (size > Config.general().getAttachmentConfig().getFileSize()) {
+				if (StringUtils.isNotEmpty(callback)) {
+					throw new ExceptionAttachmentInvalidCallback(callback, fileName, Config.general().getAttachmentConfig().getFileSize());
+				} else {
+					throw new ExceptionAttachmentInvalid(fileName, Config.general().getAttachmentConfig().getFileSize());
+				}
+			}
+		}
+		String fileType = FilenameUtils.getExtension(fileName).toLowerCase();
+		if ((Config.general().getAttachmentConfig().getFileTypeIncludes() != null && !Config.general().getAttachmentConfig().getFileTypeIncludes().isEmpty())
+				&& (!ListTools.contains(Config.general().getAttachmentConfig().getFileTypeIncludes(), fileType))) {
+			if (StringUtils.isNotEmpty(callback)) {
+				throw new ExceptionAttachmentInvalidCallback(callback, fileName);
+			} else {
+				throw new ExceptionAttachmentInvalid(fileName);
+			}
+		}
+		if ((Config.general().getAttachmentConfig().getFileTypeExcludes() != null && !Config.general().getAttachmentConfig().getFileTypeExcludes().isEmpty())
+				&& (ListTools.contains(Config.general().getAttachmentConfig().getFileTypeExcludes(), fileType))) {
+			if (StringUtils.isNotEmpty(callback)) {
+				throw new ExceptionAttachmentInvalidCallback(callback, fileName);
+			} else {
+				throw new ExceptionAttachmentInvalid(fileName);
+			}
+		}
+	}
+
 }
--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/attachment/ActionUpload.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/attachment/ActionUpload.java
@@ -5,6 +5,7 @@ import java.util.UUID;

 import javax.servlet.http.HttpServletRequest;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -21,18 +22,18 @@ import com.x.bbs.entity.BBSSubjectAttachment;
 import com.x.bbs.entity.BBSSubjectInfo;

 public class ActionUpload extends BaseAction {
-	
+
 	private static Logger logger = LoggerFactory.getLogger(ActionUpload.class);

-	protected ActionResult<Wo> execute( HttpServletRequest request, EffectivePerson effectivePerson, 
-			String subjectId, String site, byte[] bytes, FormDataContentDisposition disposition) {
+	protected ActionResult<Wo> execute( HttpServletRequest request, EffectivePerson effectivePerson,
+			String subjectId, String site, byte[] bytes, FormDataContentDisposition disposition) throws Exception{
 		ActionResult<Wo> result = new ActionResult<>();
 		BBSSubjectAttachment attachment = null;
 		BBSSubjectInfo subject = null;
 		StorageMapping mapping = null;
 		String fileName = null;
-		Boolean check = true;		
-		
+		Boolean check = true;
+
 		if( check ){
 			if( StringUtils.isEmpty(subjectId) ){
 				check = false;
@@ -40,7 +41,7 @@ public class ActionUpload extends BaseAction {
 				result.error( exception );
 			}
 		}
-		
+
 		if( check ){
 			//判断文档是否已经存在
 			try {
@@ -51,7 +52,7 @@ public class ActionUpload extends BaseAction {
 				logger.error( e, effectivePerson, request, null );
 			}
 		}
-		
+
 		if( check ){
 			try {
 				fileName = FilenameUtils.getName(new String(disposition.getFileName().getBytes(DefaultCharset.name_iso_8859_1), DefaultCharset.name));
@@ -60,15 +61,17 @@ public class ActionUpload extends BaseAction {
 					check = false;
 					Exception exception = new ExceptionEmptyExtension( fileName );
 					result.error( exception );
-				} 
+				}
 			} catch (Exception e) {
 				check = false;
 				result.error( e );
 			}
 		}
-		
+
+		FileTools.verifyConstraint(bytes.length, fileName, null);
+
 		if( check ){
-			
+
 			try {
 				mapping = ThisApplication.context().storageMappings().random( BBSSubjectAttachment.class );
 			} catch (Exception e) {

--- a/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/attachment/ActionUploadCallback.java
+++ b/o2server/x_bbs_assemble_control/src/main/java/com/x/bbs/assemble/control/jaxrs/attachment/ActionUploadCallback.java
@@ -5,6 +5,7 @@ import java.util.UUID;

 import javax.servlet.http.HttpServletRequest;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -22,18 +23,18 @@ import com.x.bbs.entity.BBSSubjectAttachment;
 import com.x.bbs.entity.BBSSubjectInfo;

 public class ActionUploadCallback extends BaseAction {
-	
+
 	private static Logger logger = LoggerFactory.getLogger(ActionUploadCallback.class);

-	protected ActionResult<Wo<WoObject>> execute( HttpServletRequest request, EffectivePerson effectivePerson, 
-			String subjectId, String callback, String site, byte[] bytes, FormDataContentDisposition disposition) {
+	protected ActionResult<Wo<WoObject>> execute( HttpServletRequest request, EffectivePerson effectivePerson,
+			String subjectId, String callback, String site, byte[] bytes, FormDataContentDisposition disposition) throws Exception{
 		ActionResult<Wo<WoObject>> result = new ActionResult<>();
 		BBSSubjectAttachment attachment = null;
 		BBSSubjectInfo subject = null;
 		StorageMapping mapping = null;
 		String fileName = null;
-		Boolean check = true;		
-		
+		Boolean check = true;
+
 		if( check ){
 			if( StringUtils.isEmpty(subjectId) ){
 				check = false;
@@ -41,7 +42,7 @@ public class ActionUploadCallback extends BaseAction {
 				result.error( exception );
 			}
 		}
-		
+
 		if( check ){
 			//判断文档是否已经存在
 			try {
@@ -52,7 +53,7 @@ public class ActionUploadCallback extends BaseAction {
 				logger.error( e, effectivePerson, request, null );
 			}
 		}
-		
+
 		if( check ){
 			try {
 				fileName = FilenameUtils.getName(new String(disposition.getFileName().getBytes(DefaultCharset.name_iso_8859_1), DefaultCharset.name));
@@ -61,15 +62,17 @@ public class ActionUploadCallback extends BaseAction {
 					check = false;
 					Exception exception = new ExceptionEmptyExtension( fileName );
 					result.error( exception );
-				} 
+				}
 			} catch (Exception e) {
 				check = false;
 				result.error( e );
 			}
 		}
-		
+
+		FileTools.verifyConstraint(bytes.length, fileName, callback);
+
 		if( check ){
-			
+
 			try {
 				mapping = ThisApplication.context().storageMappings().random( BBSSubjectAttachment.class );
 			} catch (Exception e) {

--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpdate.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpdate.java
@@ -9,6 +9,7 @@ import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.ExtractTextTools;
+import com.x.base.core.project.tools.FileTools;
 import com.x.cms.assemble.control.ThisApplication;
 import com.x.cms.core.entity.AppInfo;
 import com.x.cms.core.entity.CategoryInfo;
@@ -64,7 +65,7 @@ public class ActionFileUpdate extends BaseAction {
 			throw new ExceptionFileInfoNotExists( old_attId );
 		}

-		this.verifyConstraint(bytes.length, fileName, null);
+		FileTools.verifyConstraint(bytes.length, fileName, null);

 		StorageMapping mapping = ThisApplication.context().storageMappings().get( FileInfo.class, attachment.getStorage());


--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpdateCallback.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpdateCallback.java
@@ -5,6 +5,7 @@ import java.util.UUID;

 import javax.servlet.http.HttpServletRequest;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.tika.Tika;
@@ -96,7 +97,7 @@ public class ActionFileUpdateCallback extends BaseAction {
 			}
 		}

-		this.verifyConstraint(bytes.length, fileName, callback);
+		FileTools.verifyConstraint(bytes.length, fileName, callback);

 		if( check ){
 			try {

--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpload.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUpload.java
@@ -11,6 +11,7 @@ import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.ExtractTextTools;
+import com.x.base.core.project.tools.FileTools;
 import com.x.cms.assemble.control.ThisApplication;
 import com.x.cms.core.entity.Document;
 import com.x.cms.core.entity.FileInfo;
@@ -47,7 +48,7 @@ public class ActionFileUpload extends BaseAction {
 			throw new ExceptionStorageMappingNotExist(StorageType.cms.name());
 		}

-		this.verifyConstraint(bytes.length, fileName, null);
+		FileTools.verifyConstraint(bytes.length, fileName, null);

 		FileInfo attachment = this.concreteAttachment( mapping, document, fileName, effectivePerson, site );


--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUploadCallback.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUploadCallback.java
@@ -10,6 +10,7 @@ import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.ExtractTextTools;
+import com.x.base.core.project.tools.FileTools;
 import com.x.cms.assemble.control.ThisApplication;
 import com.x.cms.core.entity.Document;
 import com.x.cms.core.entity.FileInfo;
@@ -43,7 +44,7 @@ public class ActionFileUploadCallback extends BaseAction {

 		StorageMapping mapping = ThisApplication.context().storageMappings().random( FileInfo.class );

-		this.verifyConstraint(bytes.length, fileName, callback);
+		FileTools.verifyConstraint(bytes.length, fileName, callback);

 		FileInfo attachment = this.concreteAttachment( mapping, document, fileName, effectivePerson, site );


--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUploadWithUrl.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/ActionFileUploadWithUrl.java
@@ -4,6 +4,7 @@ import java.util.Date;
 import java.util.UUID;

 import com.x.base.core.project.exception.ExceptionAccessDenied;
+import com.x.base.core.project.tools.FileTools;
 import com.x.cms.core.entity.AppInfo;
 import com.x.cms.core.entity.CategoryInfo;
 import org.apache.commons.io.FilenameUtils;
@@ -87,7 +88,7 @@ public class ActionFileUploadWithUrl extends BaseAction {
 			throw new Exception("can not down file from url!");
 		}

-		this.verifyConstraint(bytes.length, wi.getFileName(), null);
+		FileTools.verifyConstraint(bytes.length, wi.getFileName(), null);

 		attachment.setType((new Tika()).detect(bytes, wi.getFileName()));
 		logger.debug("filename:{}, file type:{}.", attachment.getName(), attachment.getType());

--- a/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/BaseAction.java
+++ b/o2server/x_cms_assemble_control/src/main/java/com/x/cms/assemble/control/jaxrs/fileinfo/BaseAction.java
@@ -2,22 +2,15 @@ package com.x.cms.assemble.control.jaxrs.fileinfo;

 import com.x.base.core.project.cache.Cache;
 import com.x.base.core.project.config.Cms;
-import com.x.base.core.project.config.Config;
 import com.x.base.core.project.config.StorageMapping;
 import com.x.base.core.project.connection.CipherConnectionAction;
 import com.x.base.core.project.http.EffectivePerson;
 import com.x.base.core.project.jaxrs.StandardJaxrsAction;
-import com.x.base.core.project.tools.ListTools;
 import com.x.cms.assemble.control.ThisApplication;
-import com.x.cms.assemble.control.service.AppInfoServiceAdv;
-import com.x.cms.assemble.control.service.CategoryInfoServiceAdv;
-import com.x.cms.assemble.control.service.DocumentQueryService;
-import com.x.cms.assemble.control.service.FileInfoServiceAdv;
-import com.x.cms.assemble.control.service.LogService;
+import com.x.cms.assemble.control.service.*;
 import com.x.cms.core.entity.Document;
 import com.x.cms.core.entity.FileInfo;
 import org.apache.commons.codec.binary.Base64;
-import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;

 public class BaseAction extends StandardJaxrsAction {
@@ -50,44 +43,6 @@ public class BaseAction extends StandardJaxrsAction {
 		return bytes;
 	}

-	/**
-	 * 判断附件是否符合大小、文件类型的约束
-	 *
-	 * @param size
-	 * @param fileName
-	 * @param callback
-	 * @throws Exception
-	 */
-	protected void verifyConstraint(long size, String fileName, String callback) throws Exception {
-		if (Config.general().getAttachmentConfig().getFileSize() != null && Config.general().getAttachmentConfig().getFileSize() > 0) {
-			size = size / (1024 * 1024);
-			if (size > Config.general().getAttachmentConfig().getFileSize()) {
-				if (StringUtils.isNotEmpty(callback)) {
-					throw new ExceptionAttachmentInvalidCallback(callback, fileName, Config.general().getAttachmentConfig().getFileSize());
-				} else {
-					throw new ExceptionAttachmentInvalid(fileName, Config.general().getAttachmentConfig().getFileSize());
-				}
-			}
-		}
-		String fileType = FilenameUtils.getExtension(fileName).toLowerCase();
-		if ((Config.general().getAttachmentConfig().getFileTypeIncludes() != null && !Config.general().getAttachmentConfig().getFileTypeIncludes().isEmpty())
-				&& (!ListTools.contains(Config.general().getAttachmentConfig().getFileTypeIncludes(), fileType))) {
-			if (StringUtils.isNotEmpty(callback)) {
-				throw new ExceptionAttachmentInvalidCallback(callback, fileName);
-			} else {
-				throw new ExceptionAttachmentInvalid(fileName);
-			}
-		}
-		if ((Config.general().getAttachmentConfig().getFileTypeExcludes() != null && !Config.general().getAttachmentConfig().getFileTypeExcludes().isEmpty())
-				&& (ListTools.contains(Config.general().getAttachmentConfig().getFileTypeExcludes(), fileType))) {
-			if (StringUtils.isNotEmpty(callback)) {
-				throw new ExceptionAttachmentInvalidCallback(callback, fileName);
-			} else {
-				throw new ExceptionAttachmentInvalid(fileName);
-			}
-		}
-	}
-
 	public static class Req {

 		private String person;

--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdate.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdate.java
@@ -3,6 +3,8 @@ package com.x.file.assemble.control.jaxrs.attachment;
 import java.util.ArrayList;
 import java.util.List;

+import com.x.base.core.project.exception.ExceptionFileNameInvalid;
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.lang3.StringUtils;

@@ -49,6 +51,9 @@ class ActionUpdate extends BaseAction {
 			if (null != wi.getEditorList()) {
 				editorList = business.organization().person().list(wi.getEditorList());
 			}
+			if(StringUtils.isNotBlank(wi.getName()) && StringTools.isFileName(wi.getName())){
+				throw new ExceptionFileNameInvalid(wi.getName());
+			}
 			/* 从共享用户和共享编辑者里面去掉当前用户和创建者 */
 			shareList = ListUtils.subtract(shareList,
 					ListTools.toList(attachment.getPerson(), effectivePerson.getDistinguishedName()));
@@ -105,4 +110,4 @@ class ActionUpdate extends BaseAction {
 	public static class Wo extends WoId {

 	}
-}
\ No newline at end of file
+}
--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdateContent.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdateContent.java
@@ -4,6 +4,7 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Objects;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.collections4.ListUtils;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
@@ -56,6 +57,7 @@ class ActionUpdateContent extends BaseAction {
 					attachment.getExtension())) {
 				throw new ExceptionExtensionNotMatch(fileName, attachment.getExtension());
 			}
+			FileTools.verifyConstraint(bytes.length, fileName, null);
 			emc.beginTransaction(Attachment.class);
 			attachment.updateContent(mapping, bytes);
 			emc.check(attachment, CheckPersistType.all);
@@ -80,4 +82,4 @@ class ActionUpdateContent extends BaseAction {
 	public static class Wo extends WoId {

 	}
-}
\ No newline at end of file
+}
--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdateContentCallback.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpdateContentCallback.java
 package com.x.file.assemble.control.jaxrs.attachment;

-import java.util.ArrayList;
-import java.util.List;
-import java.util.Objects;
-
-import org.apache.commons.collections4.ListUtils;
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
-
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.annotation.CheckPersistType;
@@ -21,9 +12,18 @@ import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.logger.Logger;
 import com.x.base.core.project.logger.LoggerFactory;
 import com.x.base.core.project.tools.DefaultCharset;
+import com.x.base.core.project.tools.FileTools;
 import com.x.base.core.project.tools.ListTools;
 import com.x.file.assemble.control.ThisApplication;
 import com.x.file.core.entity.personal.Attachment;
+import org.apache.commons.collections4.ListUtils;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;

 class ActionUpdateContentCallback extends BaseAction {

@@ -61,6 +61,7 @@ class ActionUpdateContentCallback extends BaseAction {
 					attachment.getExtension())) {
 				throw new ExceptionExtensionNotMatchCallback(callback, fileName, attachment.getExtension());
 			}
+			FileTools.verifyConstraint(bytes.length, fileName, callback);
 			emc.beginTransaction(Attachment.class);
 			attachment.updateContent(mapping, bytes);
 			emc.check(attachment, CheckPersistType.all);
@@ -91,4 +92,4 @@ class ActionUpdateContentCallback extends BaseAction {

 	public static class WoObject extends WoId {
 	}
-}
\ No newline at end of file
+}
--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpload.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUpload.java
 package com.x.file.assemble.control.jaxrs.attachment;

-import javax.persistence.EntityManager;
-import javax.persistence.criteria.CriteriaBuilder;
-import javax.persistence.criteria.CriteriaQuery;
-import javax.persistence.criteria.Predicate;
-import javax.persistence.criteria.Root;
-
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
-
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.annotation.CheckPersistType;
 import com.x.base.core.project.config.StorageMapping;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
-import com.x.base.core.project.jaxrs.StandardJaxrsAction;
 import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.tools.DefaultCharset;
+import com.x.base.core.project.tools.FileTools;
 import com.x.file.assemble.control.Business;
 import com.x.file.assemble.control.ThisApplication;
 import com.x.file.core.entity.personal.Attachment;
 import com.x.file.core.entity.personal.Attachment_;
 import com.x.file.core.entity.personal.Folder;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
+
+import javax.persistence.EntityManager;
+import javax.persistence.criteria.CriteriaBuilder;
+import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.Predicate;
+import javax.persistence.criteria.Root;

-class ActionUpload extends StandardJaxrsAction {
+class ActionUpload extends BaseAction {

 	// @HttpMethodDescribe(value = "创建Attachment对象,如果没有上级目录用(0)替代.", response =
 	// WrapOutId.class)
@@ -67,6 +66,7 @@ class ActionUpload extends StandardJaxrsAction {
 			if (this.exist(business, fileName, folderId)) {
 				throw new ExceptionSameNameFileExist(fileName);
 			}
+			FileTools.verifyConstraint(bytes.length, fileName, null);
 			Attachment attachment = new Attachment(mapping.getName(), fileName, effectivePerson.getDistinguishedName(),
 					folderId);
 			emc.check(attachment, CheckPersistType.all);
@@ -97,4 +97,4 @@ class ActionUpload extends StandardJaxrsAction {

 	public static class Wo extends WoId {
 	}
-}
\ No newline at end of file
+}
--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUploadCallback.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/attachment/ActionUploadCallback.java
 package com.x.file.assemble.control.jaxrs.attachment;

-import javax.persistence.EntityManager;
-import javax.persistence.criteria.CriteriaBuilder;
-import javax.persistence.criteria.CriteriaQuery;
-import javax.persistence.criteria.Predicate;
-import javax.persistence.criteria.Root;
-
-import org.apache.commons.io.FilenameUtils;
-import org.apache.commons.lang3.StringUtils;
-import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
-
 import com.x.base.core.container.EntityManagerContainer;
 import com.x.base.core.container.factory.EntityManagerContainerFactory;
 import com.x.base.core.entity.annotation.CheckPersistType;
 import com.x.base.core.project.config.StorageMapping;
 import com.x.base.core.project.http.ActionResult;
 import com.x.base.core.project.http.EffectivePerson;
-import com.x.base.core.project.jaxrs.StandardJaxrsAction;
 import com.x.base.core.project.jaxrs.WoCallback;
 import com.x.base.core.project.jaxrs.WoId;
 import com.x.base.core.project.tools.DefaultCharset;
+import com.x.base.core.project.tools.FileTools;
 import com.x.file.assemble.control.Business;
 import com.x.file.assemble.control.ThisApplication;
 import com.x.file.core.entity.personal.Attachment;
 import com.x.file.core.entity.personal.Attachment_;
 import com.x.file.core.entity.personal.Folder;
+import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.lang3.StringUtils;
+import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
+
+import javax.persistence.EntityManager;
+import javax.persistence.criteria.CriteriaBuilder;
+import javax.persistence.criteria.CriteriaQuery;
+import javax.persistence.criteria.Predicate;
+import javax.persistence.criteria.Root;

-class ActionUploadCallback extends StandardJaxrsAction {
+class ActionUploadCallback extends BaseAction {

 	// @HttpMethodDescribe(value = "创建Attachment对象,如果没有上级目录用(0)替代.", response =
 	// WrapOutId.class)
@@ -68,6 +67,7 @@ class ActionUploadCallback extends StandardJaxrsAction {
 			if (this.exist(business, fileName, folderId)) {
 				throw new ExceptionSameNameFileExistCallback(callback, fileName);
 			}
+			FileTools.verifyConstraint(bytes.length, fileName, callback);
 			Attachment attachment = new Attachment(mapping.getName(), fileName, effectivePerson.getDistinguishedName(),
 					folderId);
 			emc.check(attachment, CheckPersistType.all);
@@ -106,4 +106,4 @@ class ActionUploadCallback extends StandardJaxrsAction {
 	public static class WoObject extends WoId {
 	}

-}
\ No newline at end of file
+}
--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUpload.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUpload.java
@@ -5,6 +5,7 @@ import java.io.ByteArrayInputStream;

 import javax.imageio.ImageIO;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.commons.lang3.ArrayUtils;
@@ -56,7 +57,7 @@ class ActionUpload extends BaseAction {
 			if (StringUtils.isEmpty(FilenameUtils.getExtension(fileName))) {
 				throw new ExceptionEmptyExtension(fileName);
 			}
-
+			FileTools.verifyConstraint(bytes.length, fileName, null);
 			/* 先保存原图 */
 			file = new File(mapping.getName(), fileName, effectivePerson.getDistinguishedName(), type, reference);
 			emc.check(file, CheckPersistType.all);

--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUploadCallback.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUploadCallback.java
@@ -5,6 +5,7 @@ import java.io.ByteArrayInputStream;

 import javax.imageio.ImageIO;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.commons.lang3.ArrayUtils;
@@ -50,6 +51,7 @@ class ActionUploadCallback extends BaseAction {
 			if (StringUtils.isEmpty(FilenameUtils.getExtension(fileName))) {
 				throw new ExceptionEmptyExtensionCallback(callback, fileName);
 			}
+			FileTools.verifyConstraint(bytes.length, fileName, null);
 			File file = new File(mapping.getName(), fileName, effectivePerson.getDistinguishedName(), type, reference);
 			emc.check(file, CheckPersistType.all);
 			if ((scale > 0) && ArrayUtils.contains(IMAGE_EXTENSIONS_COMPRESS, file.getExtension())) {

--- a/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUploadWithUrl.java
+++ b/o2server/x_file_assemble_control/src/main/java/com/x/file/assemble/control/jaxrs/file/ActionUploadWithUrl.java
@@ -5,6 +5,7 @@ import java.io.ByteArrayInputStream;

 import javax.imageio.ImageIO;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.output.ByteArrayOutputStream;
 import org.apache.commons.lang3.ArrayUtils;
@@ -69,6 +70,7 @@ public class ActionUploadWithUrl extends BaseAction {
 		if(bytes==null || bytes.length==0){
 			throw new ExceptionEntityFieldEmpty(File.class, "bytes");
 		}
+		FileTools.verifyConstraint(bytes.length, fileName, null);
 		Wo wo = new Wo();
 		try (EntityManagerContainer emc = EntityManagerContainerFactory.instance().create();
 			 ByteArrayInputStream in = new ByteArrayInputStream(bytes)) {

--- a/o2server/x_file_core_entity/src/main/java/com/x/file/core/entity/open/FileConfigProperties.java
+++ b/o2server/x_file_core_entity/src/main/java/com/x/file/core/entity/open/FileConfigProperties.java
 package com.x.file.core.entity.open;

 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.List;

 import com.x.base.core.entity.JsonProperties;
@@ -15,7 +16,8 @@ public class FileConfigProperties extends JsonProperties {
 	private static final long serialVersionUID = -1259157593040432239L;

 	@FieldDescribe("只允许上传的文件后缀")
-	private List<String> fileTypeIncludes = new ArrayList<>();
+	private List<String> fileTypeIncludes = Arrays.asList("doc", "docx", "xls", "xlsx", "ppt", "pptx", "pdf",
+			"xapp", "text", "zip", "rar", "mp3", "mp4", "png", "jpg", "gif");

 	@FieldDescribe("不允许上传的文件后缀")
 	private List<String> fileTypeExcludes = new ArrayList<>();

--- a/o2server/x_meeting_assemble_control/src/main/java/com/x/meeting/assemble/control/jaxrs/attachment/ActionUpload.java
+++ b/o2server/x_meeting_assemble_control/src/main/java/com/x/meeting/assemble/control/jaxrs/attachment/ActionUpload.java
@@ -4,6 +4,7 @@ import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.util.Date;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -38,6 +39,7 @@ public class ActionUpload extends BaseAction {
 				emc.beginTransaction(Attachment.class);
 				fileName = StringUtils.isEmpty(fileName) ? disposition.getFileName() : fileName;
 				fileName = FilenameUtils.getName(fileName);
+				FileTools.verifyConstraint(bytes.length, fileName, null);
 				Attachment attachment = this.concreteAttachment(meeting, summary);
 				attachment.saveContent(mapping, input, fileName);
 				attachment.setLastUpdatePerson(effectivePerson.getDistinguishedName());
@@ -56,4 +58,4 @@ public class ActionUpload extends BaseAction {

 	}

-}
\ No newline at end of file
+}
--- a/o2server/x_meeting_assemble_control/src/main/java/com/x/meeting/assemble/control/jaxrs/attachment/ActionUploadCallback.java
+++ b/o2server/x_meeting_assemble_control/src/main/java/com/x/meeting/assemble/control/jaxrs/attachment/ActionUploadCallback.java
@@ -4,6 +4,7 @@ import java.io.ByteArrayInputStream;
 import java.io.InputStream;
 import java.util.Date;

+import com.x.base.core.project.tools.FileTools;
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
@@ -39,6 +40,7 @@ public class ActionUploadCallback extends BaseAction {
 				emc.beginTransaction(Attachment.class);
 				fileName = StringUtils.isEmpty(fileName) ? disposition.getFileName() : fileName;
 				fileName = FilenameUtils.getName(fileName);
+				FileTools.verifyConstraint(bytes.length, fileName, callback);
 				Attachment attachment = this.concreteAttachment(meeting, summary);
 				attachment.saveContent(mapping, input, fileName);
 				attachment.setLastUpdatePerson(effectivePerson.getDistinguishedName());
@@ -63,4 +65,4 @@ public class ActionUploadCallback extends BaseAction {
 	public static class WoObject extends WoId {
 	}

-}
\ No newline at end of file
+}
--- a/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/ActionUpdateContent.java
+++ b/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/ActionUpdateContent.java
 package com.x.processplatform.assemble.surface.jaxrs.attachment;

+import com.x.base.core.project.exception.ExceptionFieldEmpty;
+import com.x.base.core.project.exception.ExceptionFileNameInvalid;
+import com.x.base.core.project.tools.StringTools;
 import org.apache.commons.lang3.BooleanUtils;
 import org.apache.commons.lang3.StringUtils;

@@ -44,9 +47,12 @@ class ActionUpdateContent extends BaseAction {
 			}
 			String fileName = wi.getFileName();
 			if (StringUtils.isEmpty(fileName)) {
-				throw new IllegalStateException("fileName can not empty!");
+				throw new ExceptionFieldEmpty("fileName");
 			}
 			fileName = fileName + "." + attachment.getExtension();
+			if(!StringTools.isFileName(fileName)){
+				throw new ExceptionFileNameInvalid(fileName);
+			}
 			if (!fileName.equalsIgnoreCase(attachment.getName())) {
 				fileName = this.adjustFileName(business, work.getJob(), fileName);
 			}

--- a/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/ActionUploadWithUrl.java
+++ b/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/ActionUploadWithUrl.java
@@ -98,6 +98,7 @@ class ActionUploadWithUrl extends BaseAction {
 				throw new IllegalStateException("fileName can not empty.");
 			}
 			fileName = this.adjustFileName(business, attachment.getJob(), fileName);
+			this.verifyConstraint(bytes.length, fileName, null);

 			StorageMapping mapping = ThisApplication.context().storageMappings().random(Attachment.class);
 			attachment.saveContent(mapping, bytes, fileName);

--- a/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/BaseAction.java
+++ b/o2server/x_processplatform_assemble_surface/src/main/java/com/x/processplatform/assemble/surface/jaxrs/attachment/BaseAction.java
@@ -14,6 +14,7 @@ import javax.persistence.criteria.Root;
 import com.x.base.core.project.config.ProcessPlatform;
 import com.x.base.core.project.config.StorageMapping;
 import com.x.base.core.project.connection.CipherConnectionAction;
+import com.x.base.core.project.exception.ExceptionFileNameInvalid;
 import com.x.processplatform.core.entity.content.Work;
 import com.x.processplatform.core.entity.content.WorkCompleted;
 import org.apache.commons.codec.binary.Base64;
@@ -312,6 +313,9 @@ abstract class BaseAction extends StandardJaxrsAction {
 	 * @throws Exception
 	 */
 	protected void verifyConstraint(long size, String fileName, String callback) throws Exception {
+		if(!StringTools.isFileName(fileName)){
+			throw new ExceptionFileNameInvalid(fileName);
+		}
 		if (Config.general().getAttachmentConfig().getFileSize() != null && Config.general().getAttachmentConfig().getFileSize() > 0) {
 			size = size / (1024 * 1024);
 			if (size > Config.general().getAttachmentConfig().getFileSize()) {