參考文獻:
http://bbs.csdn.net/topics/390952011
http://blog.csdn.net/ljj_9/article/details/53306468
1.下載地址
http://hc.apache.org/downloads.cgi
Apache-》Projects-》HttpComponents
2.DownloadServlet
1 package com.servlet; 2 3 import java.io.BufferedInputStream; 4 import java.io.BufferedOutputStream; 5 import java.io.File; 6 import java.io.FileInputStream; 7 import java.io.IOException; 8 import java.io.InputStream; 9 import java.io.OutputStream; 10 import java.net.URLDecoder; 11 import java.net.URLEncoder; 12 13 import javax.servlet.ServletException; 14 import javax.servlet.http.HttpServlet; 15 import javax.servlet.http.HttpServletRequest; 16 import javax.servlet.http.HttpServletResponse; 17 18 19 20 public class DownloadServlet extends HttpServlet { 21 22 private static final long serialVersionUID = 1L; 23 24 public void doGet(HttpServletRequest request, HttpServletResponse response) 25 throws ServletException, IOException { 26 String filename = request.getParameter("id"); 27 String fileUrl = request.getServletContext().getRealPath("").replace("\\", "/"); 28 fileUrl = fileUrl + "/files/document/" + filename; 29 System.out.println("fileUrl:"+fileUrl); 30 String rname = new String(filename.getBytes("utf-8")); 31 System.out.println("begin:"+rname); 32 rname = URLEncoder.encode(rname); 33 System.out.println("end:"+rname); 34 response.addHeader("Content-Disposition", "attachment;filename="+rname); 35 response.setContentType("application/octet-stream"); 36 37 File file = new File(fileUrl); 38 InputStream is = new BufferedInputStream(new FileInputStream(file)); 39 byte[] buffer = new byte[is.available()]; 40 is.read(buffer); 41 is.close(); 42 43 OutputStream os = new BufferedOutputStream(response.getOutputStream()); 44 os.write(buffer); 45 os.flush(); 46 os.close(); 47 } 48 49 50 public void doPost(HttpServletRequest request, HttpServletResponse response) 51 throws ServletException, IOException { 52 53 54 } 55 56 57 } 58 59
3.ClientA.java
package com.tool; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import org.apache.http.HttpResponse; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.HttpClient; import org.apache.http.client.methods.HttpGet; import org.apache.http.impl.client.DefaultHttpClient; public class ClientA { /** * * @param args */ public static void main(String[] args) { // TODO 自動生成的方法存根 ClientA client = new ClientA(); client.service(); } public void service() { // TODO 自動生成的方法存根 String url = "http://此處填寫ip或網址/download.do"; HttpClient client = new DefaultHttpClient(); HttpGet get = new HttpGet(url); try { HttpResponse response = client.execute(get); } catch (ClientProtocolException e) { // TODO Auto-generated catch block e.printStackTrace(); } catch (IOException e) { // TODO Auto-generated catch block e.printStackTrace(); } } }
4.注意服務器的編碼方式和客戶端的區別
統一為utf-8
5.注意目錄遍歷漏洞
目錄遍歷是通過操作URL強行訪問web目錄以外的文件,目錄和命令,攻擊者可以在目標機器的任何位置訪問文件,執行命令。
最基本的目錄遍歷攻擊技術是在URL中使用"../"序列,改變訪問資源的路徑,訪問到web目錄以外的文件。
例如:
http://example.com/../../../../some/file
http://example.com/..%255c..%255c/some/file
正常請求為:
http://example.com/test.cgi?look=intex.html
如果存在目錄遍歷漏洞,攻擊者可以訪問
http://example.com/test.cgi?look=test.cgi
解決辦法:
過濾請求數據中"../"字符序列及其各種變形。
驗證用戶請求中提交的需要訪問的文件是否在限定的范圍內。
java web使用fliter過濾url即可。