Java判断文件类型
java判断文件类型
- 参考的方案
- 我在上传文件时使用的方案
- 图片文件上传
- 使用的KefuConfig.java类
- application.properties文件的配置
- FileUtil 文件上传工具类
参考的方案
原文链接:https://www.cnblogs.com/ryelqy/p/10104171.html
通常,在WEB系统中,上传文件时都需要做文件的类型校验,大致有如下几种方法:
- 通过后缀名,如exe,jpg,bmp,rar,zip等等。
- 通过读取文件,获取文件的Content-type来判断。
- 通过读取文件流,根据文件流中特定的一些字节标识来区分不同类型的文件。
- 若是图片,则通过缩放来判断,可以缩放的为图片,不可以的则不是。
然而,在安全性较高的业务场景中,1,2两种方法的校验会被轻易绕过。
- 伪造后缀名,如图片的,非常容易修改。
- 伪造文件的Content-type,这个稍微复杂点,为了直观,截图如下:
3.较安全,但是要读取文件,并有16进制转换等操作,性能稍差,但能满足一定条件下对安全的要求,所以建议使用。
但是文件头的信息也可以伪造,截图如下,对于图片可以采用图片缩放或者获取图片宽高的方法避免伪造头信息漏洞。
对应的Java代码如下:
package apistudy;
import java.awt.image.BufferedImage;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Map.Entry;
import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import javax.imageio.stream.ImageInputStream;
public class FileTypeTest
{
public final static Map<String, String> FILE_TYPE_MAP = new HashMap<String, String>();
private FileTypeTest(){}
static{
getAllFileType(); //初始化文件类型信息
}
/**
* Created on 2010-7-1
* Discription:[getAllFileType,常见文件头信息]
* @author:[[email protected]]
*/
private static void getAllFileType()
{
FILE_TYPE_MAP.put("jpg", "FFD8FF"); //JPEG (jpg)
FILE_TYPE_MAP.put("png", "89504E47"); //PNG (png)
FILE_TYPE_MAP.put("gif", "47494638"); //GIF (gif)
FILE_TYPE_MAP.put("tif", "49492A00"); //TIFF (tif)
FILE_TYPE_MAP.put("bmp", "424D"); //Windows Bitmap (bmp)
FILE_TYPE_MAP.put("dwg", "41433130"); //CAD (dwg)
FILE_TYPE_MAP.put("html", "68746D6C3E"); //HTML (html)
FILE_TYPE_MAP.put("rtf", "7B5C727466"); //Rich Text Format (rtf)
FILE_TYPE_MAP.put("xml", "3C3F786D6C");
FILE_TYPE_MAP.put("zip", "504B0304");
FILE_TYPE_MAP.put("rar", "52617221");
FILE_TYPE_MAP.put("psd", "38425053"); //Photoshop (psd)
FILE_TYPE_MAP.put("eml", "44656C69766572792D646174653A"); //Email [thorough only] (eml)
FILE_TYPE_MAP.put("dbx", "CFAD12FEC5FD746F"); //Outlook Express (dbx)
FILE_TYPE_MAP.put("pst", "2142444E"); //Outlook (pst)
FILE_TYPE_MAP.put("xls", "D0CF11E0"); //MS Word
FILE_TYPE_MAP.put("doc", "D0CF11E0"); //MS Excel 注意:word 和 excel的文件头一样
FILE_TYPE_MAP.put("mdb", "5374616E64617264204A"); //MS Access (mdb)
FILE_TYPE_MAP.put("wpd", "FF575043"); //WordPerfect (wpd)
FILE_TYPE_MAP.put("eps", "252150532D41646F6265");
FILE_TYPE_MAP.put("ps", "252150532D41646F6265");
FILE_TYPE_MAP.put("pdf", "255044462D312E"); //Adobe Acrobat (pdf)
FILE_TYPE_MAP.put("qdf", "AC9EBD8F"); //Quicken (qdf)
FILE_TYPE_MAP.put("pwl", "E3828596"); //Windows Password (pwl)
FILE_TYPE_MAP.put("wav", "57415645"); //Wave (wav)
FILE_TYPE_MAP.put("avi", "41564920");
FILE_TYPE_MAP.put("ram", "2E7261FD"); //Real Audio (ram)
FILE_TYPE_MAP.put("rm", "2E524D46"); //Real Media (rm)
FILE_TYPE_MAP.put("mpg", "000001BA"); //
FILE_TYPE_MAP.put("mov", "6D6F6F76"); //Quicktime (mov)
FILE_TYPE_MAP.put("asf", "3026B2758E66CF11"); //Windows Media (asf)
FILE_TYPE_MAP.put("mid", "4D546864"); //MIDI (mid)
}
public static void main(String[] args) throws Exception
{
File f = new File("c://aaa.gif");
if (f.exists())
{
String filetype1 = getImageFileType(f);
System.out.println(filetype1);
String filetype2 = getFileByFile(f);
System.out.println(filetype2);
}
}
/**
* Created on 2010-7-1
* Discription:[getImageFileType,获取图片文件实际类型,若不是图片则返回null]
* @param File
* @return fileType
* @author:[[email protected]]
*/
public final static String getImageFileType(File f)
{
if (isImage(f))
{
try
{
ImageInputStream iis = ImageIO.createImageInputStream(f);
Iterator<ImageReader> iter = ImageIO.getImageReaders(iis);
if (!iter.hasNext())
{
return null;
}
ImageReader reader = iter.next();
iis.close();
return reader.getFormatName();
}
catch (IOException e)
{
return null;
}
catch (Exception e)
{
return null;
}
}
return null;
}
/**
* Created on 2010-7-1
* Discription:[getFileByFile,获取文件类型,包括图片,若格式不是已配置的,则返回null]
* @param file
* @return fileType
* @author:[[email protected]]
*/
public final static String getFileByFile(File file)
{
String filetype = null;
byte[] b = new byte[50];
try
{
InputStream is = new FileInputStream(file);
is.read(b);
filetype = getFileTypeByStream(b);
is.close();
}
catch (FileNotFoundException e)
{
e.printStackTrace();
}
catch (IOException e)
{
e.printStackTrace();
}
return filetype;
}
/**
* Created on 2010-7-1
* Discription:[getFileTypeByStream]
* @param b
* @return fileType
* @author:[[email protected]]
*/
public final static String getFileTypeByStream(byte[] b)
{
String filetypeHex = String.valueOf(getFileHexString(b));
Iterator<Entry<String, String>> entryiterator = FILE_TYPE_MAP.entrySet().iterator();
while (entryiterator.hasNext()) {
Entry<String,String> entry = entryiterator.next();
String fileTypeHexValue = entry.getValue();
if (filetypeHex.toUpperCase().startsWith(fileTypeHexValue)) {
return entry.getKey();
}
}
return null;
}
/**
* Created on 2010-7-2
* Discription:[isImage,判断文件是否为图片]
* @param file
* @return true 是 | false 否
* @author:[[email protected]]
*/
public static final boolean isImage(File file){
boolean flag = false;
try
{
BufferedImage bufreader = ImageIO.read(file);
int width = bufreader.getWidth();
int height = bufreader.getHeight();
if(width==0 || height==0){
flag = false;
}else {
flag = true;
}
}
catch (IOException e)
{
flag = false;
}catch (Exception e) {
flag = false;
}
return flag;
}
/**
* Created on 2010-7-1
* Discription:[getFileHexString]
* @param b
* @return fileTypeHex
* @author:[[email protected]]
*/
public final static String getFileHexString(byte[] b)
{
StringBuilder stringBuilder = new StringBuilder();
if (b == null || b.length <= 0)
{
return null;
}
for (int i = 0; i < b.length; i++)
{
int v = b[i] & 0xFF;
String hv = Integer.toHexString(v);
if (hv.length() < 2)
{
stringBuilder.append(0);
}
stringBuilder.append(hv);
}
return stringBuilder.toString();
}
}
这样,不管是传入的文件有后缀名,还是无后缀名,或者修改了后缀名,真正获取到的才是该文件的实际类型,这样避免了一些想通过修改后缀名或者Content-type信息来攻击的因素。
但是性能与安全永远是无法同时完美的,安全的同时付出了读取文件的代价。本人建议可采用后缀名与读取文件的方式结合校验,毕竟攻击是少数,后缀名的校验能排除大多数用户,在后缀名获取不到时再通过获取文件真实类型校验,这样来适当提高性能。
我在上传文件时使用的方案
图片文件上传
代码如下:
package com.towker.kefu.controller.api.im;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.Lists;
import com.towker.kefu.common.ResponseData;
import com.towker.kefu.config.KefuConfig;
import com.towker.kefu.core.Model;
import com.towker.kefu.core.ModelKit;
import com.towker.kefu.model.Icon;
import com.towker.kefu.model.Message;
import com.towker.kefu.model.TreeNode;
import com.towker.kefu.service.ArticleService;
import com.towker.kefu.service.IconService;
import com.towker.kefu.service.MessageService;
import com.towker.kefu.util.*;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
/**
* 通用接口
*/
@RestController
@RequestMapping(value = "/api/common")
public class CommonAPIController {
private Logger logger = LoggerFactory.getLogger(getClass().getName());
@Autowired
private IconService iconService;
@Autowired
private ArticleService articleService;
@Autowired
private MessageService messageService;
@Autowired
private KefuConfig kefuConfig;
@Autowired
private ObjectMapper objectMapper;
/**
* 表情信息获取
*/
@RequestMapping(value = "/iconList", method = RequestMethod.POST)
public ResponseData iconList(@RequestBody String params) {
Icon icon = JsonUtil.parseObject(params, Icon.class);
Page<Icon> page = iconService.search(icon);
return new ResponseData(0, page);
}
/**
* 聊天时发送图片的文件上传,会返回图片的链接
* 文件会自动绑定到MultipartFile中
*
* @param file
* @param request
* @return
*/
@RequestMapping(value = "/uploadFile", method = RequestMethod.POST)
public ResponseData singleFileUpload(@RequestParam("file") MultipartFile file, HttpServletRequest request) {
if (file.isEmpty()) {
return new ResponseData(999999, "文件为空,请选择要上传的文件");
}
// 判断文件大小,将字节转换为MB
long fileSize = file.getSize() / 1024 / 1024;
if (fileSize > DictUtils.build().getFileSize()) {
return new ResponseData(999999, "文件不能超过 " + DictUtils.build().getIconSize() + " M");
}
if (file.getOriginalFilename().split("\\.").length < 2 ) {
return new ResponseData(999999, "文件格式不正确");
}
// 使用UUID作为文件名
String newName = IdGen.uuid() + "." + file.getOriginalFilename().split("\\.")[1];
// 按年月作为文件夹分开存放不同月份的图片
String year = File.separator + DateUtils.getYear() + DateUtils.getMonth()+ File.separator;
String path = FileUtil.uploadFile(file, newName, kefuConfig.getUploadPath() + year);
// 返回文件路径
Map<String, Object> map = new HashMap<String, Object>();
map.put("filePath", path);
return new ResponseData(0, map, "成功上传了:" + file.getOriginalFilename() + "'");
}
/**
* 文件下载
* @param filePath
* @param response
* @return
*/
@GetMapping("/download")
public ResponseData downloadFile(@RequestParam String filePath, HttpServletResponse response) {
if (filePath != null) {
File file = new File(kefuConfig.getUploadPath() + filePath);
if (file.exists()) {
response.setContentType("application/force-download");// 设置强制下载不打开
response.addHeader("Content-Disposition", "attachment;filePath=" + filePath);// 设置文件路径
byte[] buffer = new byte[1024];
FileInputStream fis = null;
BufferedInputStream bis = null;
try {
fis = new FileInputStream(file);
bis = new BufferedInputStream(fis);
OutputStream os = response.getOutputStream();
int i = bis.read(buffer);
while (i != -1) {
os.write(buffer, 0, i);
i = bis.read(buffer);
}
return new ResponseData(0,"下载成功");
} catch (Exception e) {
e.printStackTrace();
} finally {
if (bis != null) {
try {
bis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (fis != null) {
try {
fis.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
return new ResponseData(999999,"下载失败");
}
}
使用的KefuConfig.java类
package com.towker.kefu.config;
import lombok.Data;
import org.springframework.boot.context.properties.ConfigurationProperties;
import org.springframework.stereotype.Component;
/**
* 客服项目配置类
*
* 将application.properties文件中 kefu开头的值注入属性
* @ConfigurationProperties(prefix = KefuConfig.PREFIX)
*/
@Component
@ConfigurationProperties(prefix = KefuConfig.PREFIX)
@Data
public class KefuConfig {
public static final String PREFIX = "kefu";
/**
* 文件上传路径
*/
private String uploadPath;
}
application.properties文件的配置
application-dev.properties
# 开发环境的上传路径
kefu.upload-path=src/main/resources/static/upload/
application-prod.properties
# 生产环境(Linux系统下使用的路径)
kefu.upload-path=/data/kefu/upload/
FileUtil 文件上传工具类
package com.towker.kefu.util;
import com.towker.kefu.config.KefuConfig;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.multipart.MultipartFile;
import javax.imageio.ImageIO;
import javax.imageio.ImageReader;
import javax.imageio.stream.ImageInputStream;
import java.awt.image.BufferedImage;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.*;
/**
* 文件工具类
*/
public class FileUtil {
@Autowired
KefuConfig kefuConfig;
public final static Map<String, String> FILE_TYPE_MAP = new HashMap<String, String>();
private static Logger logger = LoggerFactory.getLogger(Logger.class);
private FileUtil(){}
static{
getAllFileType(); //初始化文件类型信息
}
/**
* 可上传的图片类型
*/
public static List<String> imageTypelist = Arrays.asList("jpg", "bmp", "jpeg", "png", "gif",
"JPG", "BMP", "JPEG", "PNG", "GIF");
/**
* Discription:[getAllFileType,常见文件头信息]
*/
private static void getAllFileType()
{
FILE_TYPE_MAP.put("jpg", "FFD8FF"); //JPEG (jpg)
FILE_TYPE_MAP.put("png", "89504E47"); //PNG (png)
FILE_TYPE_MAP.put("gif", "47494638"); //GIF (gif)
FILE_TYPE_MAP.put("tif", "49492A00"); //TIFF (tif)
FILE_TYPE_MAP.put("bmp", "424D"); //Windows Bitmap (bmp)
FILE_TYPE_MAP.put("dwg", "41433130"); //CAD (dwg)
FILE_TYPE_MAP.put("html", "68746D6C3E"); //HTML (html)
FILE_TYPE_MAP.put("rtf", "7B5C727466"); //Rich Text Format (rtf)
FILE_TYPE_MAP.put("xml", "3C3F786D6C");
FILE_TYPE_MAP.put("zip", "504B0304");
FILE_TYPE_MAP.put("rar", "52617221");
FILE_TYPE_MAP.put("psd", "38425053"); //Photoshop (psd)
FILE_TYPE_MAP.put("eml", "44656C69766572792D646174653A"); //Email [thorough only] (eml)
FILE_TYPE_MAP.put("dbx", "CFAD12FEC5FD746F"); //Outlook Express (dbx)
FILE_TYPE_MAP.put("pst", "2142444E"); //Outlook (pst)
FILE_TYPE_MAP.put("xls", "D0CF11E0"); //MS Word
FILE_TYPE_MAP.put("doc", "D0CF11E0"); //MS Excel 注意:word 和 excel的文件头一样
FILE_TYPE_MAP.put("mdb", "5374616E64617264204A"); //MS Access (mdb)
FILE_TYPE_MAP.put("wpd", "FF575043"); //WordPerfect (wpd)
FILE_TYPE_MAP.put("eps", "252150532D41646F6265");
FILE_TYPE_MAP.put("ps", "252150532D41646F6265");
FILE_TYPE_MAP.put("pdf", "255044462D312E"); //Adobe Acrobat (pdf)
FILE_TYPE_MAP.put("qdf", "AC9EBD8F"); //Quicken (qdf)
FILE_TYPE_MAP.put("pwl", "E3828596"); //Windows Password (pwl)
FILE_TYPE_MAP.put("wav", "57415645"); //Wave (wav)
FILE_TYPE_MAP.put("avi", "41564920");
FILE_TYPE_MAP.put("ram", "2E7261FD"); //Real Audio (ram)
FILE_TYPE_MAP.put("rm", "2E524D46"); //Real Media (rm)
FILE_TYPE_MAP.put("mpg", "000001BA"); //
FILE_TYPE_MAP.put("mov", "6D6F6F76"); //Quicktime (mov)
FILE_TYPE_MAP.put("asf", "3026B2758E66CF11"); //Windows Media (asf)
FILE_TYPE_MAP.put("mid", "4D546864"); //MIDI (mid)
}
/**
* Discription:[getImageFileType,获取图片文件实际类型,若不是图片则返回null]
* @param inputStream
* @return fileType
*/
public final static String getImageFileType(InputStream inputStream)
{
if (isImage(inputStream))
{
try
{
ImageInputStream iis = ImageIO.createImageInputStream(inputStream);
Iterator<ImageReader> iter = ImageIO.getImageReaders(iis);
if (!iter.hasNext())
{
return null;
}
ImageReader reader = iter.next();
iis.close();
return reader.getFormatName();
}
catch (IOException e)
{
return null;
}
catch (Exception e)
{
return null;
}
}
return null;
}
/**
* Created on 2010-7-2
* Discription:[isImage,判断文件是否为图片]
* @param inputStream
* @return true 是 | false 否
*/
public static final boolean isImage(InputStream inputStream){
boolean flag = false;
try
{
BufferedImage bufreader = ImageIO.read(inputStream);
int width = bufreader.getWidth();
int height = bufreader.getHeight();
if(width==0 || height==0){
flag = false;
}else {
flag = true;
}
}
catch (IOException e)
{
flag = false;
}catch (Exception e) {
flag = false;
}
return flag;
}
/**
* 上传文件方法
* @param file
* @param fileName
*/
public static String uploadFile(MultipartFile file, String fileName,String uploadPath){
logger.info("[文件类型] - [{}]", file.getContentType());
logger.info("[文件名称] - [{}]", file.getOriginalFilename());
logger.info("[文件大小] - [{}]", file.getSize());
try {
// 构建真实的文件路径
File fPath = new File(uploadPath);
if(!fPath.exists()){
// 递归生成文件夹
fPath.mkdirs();
}
// 在构建图片File 对象时, File newFile = new File(fileDir, filename); 直接使用这种方式不行,会以容器实例的地址来上传,报错
// File.separator 路径分隔符,会自动根据平台变换(Linux和Windows的问价夹分隔符不一样)
File newFile = new File(fPath.getAbsolutePath()+ File.separator + fileName);
// 上传图片到绝对路径
file.transferTo(newFile);
logger.info("[上传成功,路径为] - [{}]", fPath.getAbsolutePath()+ File.separator + fileName);
return (File.separator + "upload" + File.separator + fileName);
} catch (IOException e) {
e.printStackTrace();
}
return "";
}
}