jskim
/
moumiKnu
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
knu project
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
69 MiB
 
 
 
 
 
 
Tag: Branch: Tree: main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
moumiKnu/src_bak/kr/co/kihyun/beans/totsys/repoper/HttpExcelDown.java

227 lines
11 KiB
Raw Permalink Blame History

package kr.co.kihyun.beans.totsys.repoper;
import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.PrintWriter;
import javax.jdo.PersistenceManager;
import javax.jdo.Transaction;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
//import kr.co.kihyun.beans.entity.MUser;
import kr.co.kihyun.beans.entity.TotReport;
//import kr.co.kihyun.beans.entity.TotReportProcess;
import kr.co.kihyun.beans.entity.util.MPersistenceManager;
import kr.co.kihyun.beans.entity.util.*;
//import kr.co.kihyun.beans.totsys.report.ReportUpdate;
import kr.co.kihyun.beans.user.HttpSSOLogin;
//import kr.co.kihyun.lang.MInteger;
import kr.co.kihyun.lang.MLong;
import kr.co.kihyun.moumi.MoumiConfig;
import kr.co.kihyun.moumi.report.MReport;
import kr.co.kihyun.text.html.ServletUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
//import kr.co.kihyun.beans.totsys.report.ReportView;
import kr.co.kihyun.beans.totsys.report.ReportViewManager;
import kr.co.kihyun.beans.totsys.report.ReportFormElement;
//import kr.co.kihyun.beans.totsys.doc.table.item.Item;
//import kr.co.kihyun.beans.totsys.doc.table.Table;
import kr.co.kihyun.beans.totsys.doc.table.item.ItemList;
import kr.co.kihyun.text.excel.Excel;
import kr.co.kihyun.text.html.TagFilter;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map.Entry;
import java.util.List;
import kr.co.kihyun.util.*;
@WebServlet("/servlet/kr.co.kihyun.beans.totsys.repoper.HttpExcelDown")
public class HttpExcelDown extends HttpServlet
{
private static final long serialVersionUID = 1L;
private static final Logger LOG = LoggerFactory.getLogger(HttpNotUpdate.class);
public void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException
{
res.setContentType("text/html;charset=UTF-8");
PrintWriter out = res.getWriter();
req.getSession(true);
if (!HttpSSOLogin.isLogin(req))
{
String connURL = "location='/totsys/login/login.jsp';";
//v2. 9.크로스사이트 스크립트 (PrintWrier) : Update by KWON,HAN
// out.println(ServletUtil.getJavaScript(connURL));
// 수정 : 외부 입력값 필터링
String filtered_connURL = connURL.replaceAll("<","").replaceAll(">","").replaceAll("&","").replaceAll(",","");
LOG.debug("v2 9.크로스사이트 스크립트 (PrintWrier) : HttpExcelDown.doPost() filtered_connURL={}, Not Test", filtered_connURL);
out.println(ServletUtil.getJavaScript(filtered_connURL));
//========================================
return;
}
Long reportID = MLong.parseLong(req.getParameter("reportID"));
PersistenceManager pm = new MPersistenceManager(PMF.get().getPersistenceManager());
Transaction tx = pm.currentTransaction();
try {
TotReport totReport = pm.getObjectById(TotReport.class, reportID);
tx.begin();
ReportViewManager reportViewManager = new ReportViewManager(totReport.getTotDoc(), MReport.EXCEL);
String userId=totReport.getUser(pm).getId();
reportViewManager.setReportData(totReport.getDept(pm).getId(),userId);
String party=MoumiConfig.getInitParameter("moumi.partyId");
String dept=totReport.getDept(pm).getId();
String docName = totReport.getTotDoc().getName();
Date date=new Date();
SimpleDateFormat format=new SimpleDateFormat("yyyyMMddHHmmss");
String dateStr=format.format(date);
String excelName=docName+".xls";
String dirName="/edufile/"+party+"/"+party+"/bms/out/"+dept+"/"+userId+dateStr+"/";
//v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : 파일명이 아니라 경로를 생성하므로 웹취약점을 해결책을 적용할 수 없음
File tmpDir=new File(dirName);
// 43.권한 미설정의 위험성(mkdir)_CWE-379 : Add by YOUNGJUN,CHO
tmpDir.setExecutable(true, true);
tmpDir.setReadable(true, true);
tmpDir.setWritable(true, true);
boolean isMkDir = tmpDir.mkdirs();
//++++++++++++++++++++++++++++++++++++++++++++++++
// 43.권한 미설정의 위험성(mkdir)_CWE-379 : Update by YOUNGJUN,CHO
if (isMkDir) {
String tmpName,nameList=excelName;
for(Entry<String, List<Byte>> entry : totReport.getAttachments().entrySet()) {
tmpName=entry.getKey();
DataOutputStream output1=null;
//14.부적절한 자원 해제(FileInputStream/FileOutputStream)_CWE-404 : Update by KWON,HAN
//Byte[] content=totReport.getAttachments().get(tmpName).toArray(new Byte[]{});
//output1=new DataOutputStream(new FileOutputStream(dirName+tmpName));
//for(int ii=0;ii<content.length;ii++) output1.write(content[ii]);
//output1.close();
//
try {
//v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : Update by KWON,HAN
// output1=new DataOutputStream(new FileOutputStream(dirName+tmpName));
// Byte[] content=totReport.getAttachments().get(tmpName).toArray(new Byte[]{});
// for(int ii=0;ii<content.length;ii++) output1.write(content[ii]);
if (tmpName != null && !"".equals(tmpName)) {
// 수정 : 외부 입력값 필터링
tmpName = tmpName.replaceAll("/","");
tmpName = tmpName.replaceAll("\\","");
//tmpName = tmpName.replaceAll(".","");
//tmpName = tmpName.replaceAll("&","");
LOG.debug("v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : HttpExcelDown.doPost tmpName={} / Not Test", tmpName);
output1=new DataOutputStream(new FileOutputStream(dirName+tmpName));
Byte[] content=totReport.getAttachments().get(tmpName).toArray(new Byte[]{});
if (output1 != null) {
for(int ii=0;ii<content.length;ii++) output1.write(content[ii]);
}
}
} catch (IOException e) {
e.printStackTrace();
} finally {
output1.close();// 예외 발생 여부와 상관없이 자원 해제
}
//===================================================================================
nameList+=","+tmpName;
}
tx.rollback();
String report = reportViewManager.getReport();
ReportFormElement reportFormElement = new ReportFormElement(totReport.getTotDoc());
String Form = reportFormElement.getForm();
ItemList itemTypes = reportFormElement.getItemList();
int[] tmpItemTypeList = itemTypes.getTypeList();
String ttmp=Excel.adjustFmlaToExcel(TagFilter.removeBlankPara(Excel.setCellTypes(Excel.removeFmla(report), tmpItemTypeList)));
//v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : Update by KWON,HAN
// File exFile=new File(dirName+excelName);
// PrintWriter pw=new PrintWriter(exFile);
// pw.print(ttmp);
// pw.close();
if (excelName != null && !"".equals(excelName)) {
// 수정 : 외부 입력값 필터링
excelName = excelName.replaceAll("/","");
tmpName = excelName.replaceAll("\\","");
//excelName = excelName.replaceAll(".","");
//excelName = excelName.replaceAll("&","");
LOG.debug("v2. 4.경로 조작 및 자원 삽입_CWE-22/23/36/99 : HttpExcelDown.doPost excelName={} / Not Test", excelName);
File exFile=new File(dirName+excelName);
if (exFile != null) {
PrintWriter pw=new PrintWriter(exFile);
pw.print(ttmp);
pw.close();
}
}
makeHtml(req,res,dirName,nameList,out,docName,userId,reportID,dept);
} else {
LOG.error("\nFailed to make directory. - dirName : {}", dirName);
}
//================================================
//44.적절하지 않은 예외처리(광범위예외클래스)_CWE-754 Add by YOUNGJUN,CHO
} catch(IOException ioex) {
ioex.printStackTrace();
res.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Error!: " + ioex.getMessage());
//++++++++++++++++++++++++++++++++++++++++++++++++
} catch(Exception ex) {
ex.printStackTrace();
res.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, "Error!: " + ex.getMessage());
}
finally {
if(tx.isActive()) tx.rollback(); pm.close();
}
}
public void makeHtml(HttpServletRequest req,HttpServletResponse res,String path,String fList,PrintWriter out,String docName,String uid,Long rid,String dept)
{
docName=Base64.encodeBase64FromByte(docName.getBytes());
fList=Base64.encodeBase64FromByte(fList.getBytes());
res.setContentType("text/html;charset=utf-8");
out.println("<html>");
out.println("<head>");
out.println("</head>");
out.println("<body>");
out.println("<form name='payForm' method='post'>");
out.println("<input type=hidden name='doctKndCode' value='C21'>");
out.println("<input type=hidden name='USER_ID' value='"+uid+"'>");
out.println("<input type=hidden name='DEPT_CODE' value='"+dept+"'>");
out.println("<input type=hidden name='reportID' value='"+rid+"'>");
out.println("<input type=hidden name='filePath' value='"+path+"'>");
out.println("<input type=hidden name='fileName' value='"+fList+"'>");
out.println("<input type=hidden name='doctName' value='"+docName+"'>");
out.println("</form>");
out.println("</body>");
out.println("</html>");
out.println("<script>");
out.println("frm=document.payForm;");
out.println("frm.target='_self';");
String url="'http://"+req.getServerName().replace("ats","eis")+"/displayXUI.jsp?mipid=cm.bcm.cfm.rt::bcm_cfmrt00_p00.xfdl';";
out.println("frm.action="+url);
out.println("frm.submit();");
out.println("</script>");
}
}