参考文献:
http://bbs.csdn.net/topics/390952011
http://blog.csdn.net/ljj_9/article/details/53306468
1.下载地址
http://hc.apache.org/downloads.cgi
Apache-》Projects-》HttpComponents
2.DownloadServlet
1 package com.servlet; 2 3 import java.io.BufferedInputStream; 4 import java.io.BufferedOutputStream; 5 import java.io.File; 6 import java.io.FileInputStream; 7 import java.io.IOException; 8 import java.io.InputStream; 9 import java.io.OutputStream; 10 import java.net.URLDecoder; 11 import java.net.URLEncoder; 12 13 import javax.servlet.ServletException; 14 import javax.servlet.http.HttpServlet; 15 import javax.servlet.http.HttpServletRequest; 16 import javax.servlet.http.HttpServletResponse; 17 18 19 20 public class DownloadServlet extends HttpServlet { 21 22 private static final long serialVersionUID = 1L; 23 24 public void doGet(HttpServletRequest request, HttpServletResponse response) 25 throws ServletException, IOException { 26 String filename = request.getParameter("id"); 27 String fileUrl = request.getServletContext().getRealPath("").replace("\\", "/"); 28 fileUrl = fileUrl + "/files/document/" + filename; 29 System.out.println("fileUrl:"+fileUrl); 30 String rname = new String(filename.getBytes("utf-8")); 31 System.out.println("begin:"+rname); 32 rname = URLEncoder.encode(rname); 33 System.out.println("end:"+rname); 34 response.addHeader("Content-Disposition", "attachment;filename="+rname); 35 response.setContentType("application/octet-stream"); 36 37 File file = new File(fileUrl); 38 InputStream is = new BufferedInputStream(new FileInputStream(file)); 39 byte[] buffer = new byte[is.available()]; 40 is.read(buffer); 41 is.close(); 42 43 OutputStream os = new BufferedOutputStream(response.getOutputStream()); 44 os.write(buffer); 45 os.flush(); 46 os.close(); 47 } 48 49 50 public void doPost(HttpServletRequest request, HttpServletResponse response) 51 throws ServletException, IOException { 52 53 54 } 55 56 57 } 58 59
3.ClientA.java
package com.tool;import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream;import org.apache.http.HttpResponse; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient;public class ClientA {/*** * @param args*/public static void main(String[] args) {// TODO 自动生成的方法存根ClientA client = new ClientA();client.service();}public void service() {// TODO 自动生成的方法存根 String url = "http://此处填写ip或网址/download.do";HttpClient client = new DefaultHttpClient();HttpGet get = new HttpGet(url);try {HttpResponse response = client.execute(get);} catch (ClientProtocolException e) {// TODO Auto-generated catch block e.printStackTrace();} catch (IOException e) {// TODO Auto-generated catch block e.printStackTrace();}}}
4.注意服务器的编码方式和客户端的区别
统一为utf-8
5.注意目录遍历漏洞
目录遍历是通过操作URL强行访问web目录以外的文件,目录和命令,攻击者可以在目标机器的任何位置访问文件,执行命令。
最基本的目录遍历攻击技术是在URL中使用"../"序列,改变访问资源的路径,访问到web目录以外的文件。
例如:
http://example.com/../../../../some/file
http://example.com/..%255c..%255c/some/file
正常请求为:
http://example.com/test.cgi?look=intex.html
如果存在目录遍历漏洞,攻击者可以访问
http://example.com/test.cgi?look=test.cgi
解决办法:
过滤请求数据中"../"字符序列及其各种变形。
验证用户请求中提交的需要访问的文件是否在限定的范围内。
java web使用fliter过滤url即可。
