From cfc01ae62a6f0a691ba096bec506a9aca167562f Mon Sep 17 00:00:00 2001
From: xiaoz <xiaoz93@outlook.com>
Date: Mon, 15 Jan 2024 11:25:03 +0800
Subject: [PATCH] 0.9.34

---
 class/Api.php | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/class/Api.php b/class/Api.php
index 7e793b7..2066e95 100644
--- a/class/Api.php
+++ b/class/Api.php
@@ -1,7 +1,7 @@
 <?php
 /**
  * name:API核心类
- * update:2020/12
+ * update:2024/01
  * author:xiaoz<xiaoz93@outlook.com>
  * blog:xiaoz.me
  */
@@ -339,6 +339,18 @@ class Api {
         //过滤$filename
         $filename = str_replace('../','',$filename);
         $filename = str_replace('./','',$filename);
+        // 获取文件名称的后缀
+        $suffix = explode('.',$filename);
+        // 如果没有后缀，则不合法,通过数组长度判断后缀
+        if( count($suffix) < 2 ) {
+            $this->err_msg(-2000,'文件不合法!');
+        }
+        // 获取文件后缀
+        $suffix = strtolower(end($suffix));
+        if( ( $suffix != 'html' ) && ( $suffix != 'htm' ) ) {
+            $this->err_msg(-2000,'文件不合法!');
+        }
+
         $this->auth($token);
         //检查文件是否存在
         if ( !file_exists($filename) ) {