From 0fff3cf126b28f9cc735bfe4b30edb340c241b6d Mon Sep 17 00:00:00 2001
From: zmister <zmister@qq.com>
Date: Wed, 27 Oct 2021 21:25:56 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=B8=8A=E4=BC=A0URL?=
 =?UTF-8?q?=E5=9B=BE=E7=89=87=E6=97=B6=E7=9A=84=E5=9B=BE=E7=89=87=E6=A0=BC?=
 =?UTF-8?q?=E5=BC=8F=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app_doc/util_upload_img.py | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/app_doc/util_upload_img.py b/app_doc/util_upload_img.py
index 499492d..83805e2 100644
--- a/app_doc/util_upload_img.py
+++ b/app_doc/util_upload_img.py
@@ -115,6 +115,16 @@ def ice_url_img_upload(url,user):
     r = requests.get(url, headers=header, stream=True)
 
     if r.status_code == 200:
+        # 判断是否为允许上传的图片类型
+        remote_type = r.headers['Content-Type'].split("/")[1]
+        if remote_type not in settings.ALLOWED_IMG:
+            logger.error("上传了不允许的URL图片：{}".format(url))
+            resp_data = {
+                'error': 0,
+                'name': {},
+                'file':{}
+            }
+            return resp_data
         with open(path_file, 'wb') as f:
             f.write(r.content)  # 保存文件
         Image.objects.create(
@@ -274,6 +284,16 @@ def url_img_upload(url,dir_name,user):
     try:
         r = requests.get(url, headers=header, stream=True)
         if r.status_code == 200:
+            # 判断是否为允许上传的图片类型
+            remote_type = r.headers['Content-Type'].split("/")[1]
+            if remote_type not in settings.ALLOWED_IMG:
+                logger.error("上传了不允许的URL图片：{}".format(url))
+                resp_data = {
+                    'msg': '',
+                    'code': 1,
+                    'data': {}
+                }
+                return resp_data
             with open(path_file, 'wb') as f:
                 f.write(r.content)  # 保存文件
             Image.objects.create(