修复分片上传参数过滤不严的BUG

application/common/library/Upload.php

@@ -76,6 +76,7 @@ class Upload
 
         $this->file = $file;
         $this->fileInfo = $fileInfo;
+        $this->checkExecutable();
     }
 
     protected function checkExecutable()
@@ -171,6 +172,9 @@ class Upload
      */
     public function clean($chunkid)
     {
+        if (!preg_match('/^[a-z0-9\-]{36}$/', $chunkid)) {
+            throw new UploadException(__('Invalid parameters'));
+        }
         $iterator = new \GlobIterator($this->chunkDir . DS . $chunkid . '-*', FilesystemIterator::KEY_AS_FILENAME);
         $array = iterator_to_array($iterator);
         foreach ($array as $index => &$item) {
@@ -190,6 +194,10 @@ class Upload
      */
     public function merge($chunkid, $chunkcount, $filename)
     {
+        if (!preg_match('/^[a-z0-9\-]{36}$/', $chunkid)) {
+            throw new UploadException(__('Invalid parameters'));
+        }
+
         $filePath = $this->chunkDir . DS . $chunkid;
 
         $completed = true;
@@ -229,6 +237,8 @@ class Upload
         }
         @fclose($destFile);
 
+        $attachment = null;
+        try {
             $file = new File($uploadPath);
             $info = [
                 'name'     => $filename,
@@ -249,7 +259,12 @@ class Upload
             //允许大文件
             $this->config['maxsize'] = "1024G";
 
-        return $this->upload();
+            $attachment = $this->upload();
+        } catch (\Exception $e) {
+            @unlink($destFile);
+            throw new UploadException($e->getMessage());
+        }
+        return $attachment;
     }
 
     /**
@@ -263,6 +278,10 @@ class Upload
             throw new UploadException(__('Uploaded file format is limited'));
         }
 
+        if (!preg_match('/^[a-z0-9\-]{36}$/', $chunkid)) {
+            throw new UploadException(__('Invalid parameters'));
+        }
+
         $destDir = RUNTIME_PATH . 'chunks';
         $fileName = $chunkid . "-" . $chunkindex . '.part';
         $destFile = $destDir . DS . $fileName;