diff --git a/application/common/library/Upload.php b/application/common/library/Upload.php
index add846dd..d28cdd33 100644
--- a/application/common/library/Upload.php
+++ b/application/common/library/Upload.php
@@ -86,6 +86,11 @@ class Upload
      */
     protected function checkExecutable()
     {
+        //禁止上传以.开头的文件
+        if (substr($this->fileInfo['name'], 0, 1) === '.') {
+            throw new UploadException(__('Uploaded file format is limited'));
+        }
+
         //禁止上传PHP和HTML文件
         if (in_array($this->fileInfo['type'], ['text/x-php', 'text/html']) || in_array($this->fileInfo['suffix'], ['php', 'html', 'htm', 'phar', 'phtml']) || preg_match("/^php(.*)/i", $this->fileInfo['suffix'])) {
             throw new UploadException(__('Uploaded file format is limited'));
@@ -107,8 +112,7 @@ class Upload
             throw new UploadException(__('Uploaded file format is limited'));
         }
         //验证文件后缀
-        if ($this->config['mimetype'] === '*'
-            || in_array($this->fileInfo['suffix'], $mimetypeArr) || in_array('.' . $this->fileInfo['suffix'], $mimetypeArr)
+        if (in_array($this->fileInfo['suffix'], $mimetypeArr) || in_array('.' . $this->fileInfo['suffix'], $mimetypeArr)
             || in_array($typeArr[0] . "/*", $mimetypeArr) || (in_array($this->fileInfo['type'], $mimetypeArr) && stripos($this->fileInfo['type'], '/') !== false)) {
             return true;
         }
diff --git a/application/extra/upload.php b/application/extra/upload.php
index 24357afb..8a79610e 100644
--- a/application/extra/upload.php
+++ b/application/extra/upload.php
@@ -20,6 +20,7 @@ return [
     'maxsize'   => '10mb',
     /**
      * 可上传的文件类型
+     * 如配置允许 pdf,ppt,docx,svg 等可能含有脚本的文件时，请先从服务器配置此类文件直接下载而不是预览
      */
     'mimetype'  => 'jpg,png,bmp,jpeg,gif,webp,zip,rar,wav,mp4,mp3,webm',
     /**