UploadServe.php
1.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
<?php
declare(strict_types=1);
namespace app\controller\admin;
use app\BaseController;
/**
* 经管理端鉴权输出 public/uploads 下文件,便于前端跨域拉取 Blob(静态 /uploads 无 CORS 时)。
*/
class UploadServe extends BaseController
{
public function raw()
{
$path = trim((string) $this->request->get('path', ''));
if ($path === '' || str_contains($path, '..')) {
return json(['code' => 400, 'msg' => '非法路径', 'data' => []]);
}
if (!str_starts_with($path, '/uploads/')) {
return json(['code' => 400, 'msg' => '仅允许 /uploads/ 下的文件', 'data' => []]);
}
$rel = ltrim($path, '/');
$abs = public_path() . str_replace('/', DIRECTORY_SEPARATOR, $rel);
$uploadsRoot = realpath(public_path() . 'uploads');
$realFile = realpath($abs);
if ($uploadsRoot === false || $realFile === false) {
return json(['code' => 404, 'msg' => '文件不存在', 'data' => []]);
}
if (!str_starts_with($realFile, $uploadsRoot . DIRECTORY_SEPARATOR)) {
return json(['code' => 404, 'msg' => '文件不存在', 'data' => []]);
}
if (!is_file($realFile)) {
return json(['code' => 404, 'msg' => '文件不存在', 'data' => []]);
}
$ext = strtolower(pathinfo($realFile, PATHINFO_EXTENSION));
$mime = match ($ext) {
'jpg', 'jpeg' => 'image/jpeg',
'png' => 'image/png',
'webp' => 'image/webp',
'gif' => 'image/gif',
default => 'application/octet-stream',
};
// 使用 File 响应:输出前清理 output buffer,避免调试输出污染二进制;并设置 Content-Transfer-Encoding 等
return download($realFile, basename($realFile), false, 300)
->mimeType($mime)
->force(false);
}
}