diff --git a/application/index/controller/Qrcode.php b/application/index/controller/Qrcode.php
index dbcce7825159929dd1906d4b3af39b66b7df0c38..7e2373cc8f2040d2aaa6ca1af46d3f360cf9457d 100755
--- a/application/index/controller/Qrcode.php
+++ b/application/index/controller/Qrcode.php
@@ -56,13 +56,12 @@ class QrCode extends Common
     public function Download()
     {
         $params = input();
-        if(empty($params['url']))
+        $ret = (new \base\Qrcode())->Download($params);
+        if(!empty($ret) && isset($ret['code']) && $ret['code'] != 0)
         {
-            $this->assign('msg', 'url参数为空');
+            $this->assign('msg', $ret['msg']);
             return $this->fetch('public/tips_error');
         }
-
-        (new \base\Qrcode())->Download($params);
     }
 }
 ?>
\ No newline at end of file
diff --git a/extend/base/Qrcode.php b/extend/base/Qrcode.php
index 135ae962cb53a575b0f8ff4e22abc15f7240e8d2..803d298d0ebdfee7a159b727bc309d5db20c0f9e 100644
--- a/extend/base/Qrcode.php
+++ b/extend/base/Qrcode.php
@@ -180,7 +180,17 @@ class Qrcode
     public function Download($params = [])
     {
         // 图片地址
-        $url = base64_decode(urldecode($params['url']));
+        $url = empty($params['url']) ? '' : base64_decode(urldecode($params['url']));
+        if(empty($url))
+        {
+            return DataReturn('url地址有误', -1);
+        }
+
+        // 域名验证、仅支持下载当前域名下的文件
+        if(GetUrlHost(__MY_HOST__) != GetUrlHost($url))
+        {
+            return DataReturn('url地址非法', -1);
+        }
 
         // 随机文件名
         $filename = empty($params['filename']) ? date('YmdHis').GetNumberCode().'.png' : $params['filename'].'.png';