From f29b7877675b037028fe46a32a4dbd90728bbe3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=96=AF=E7=8B=82=E7=9A=84=E7=8B=AE=E5=AD=90Li?=
 <15040126243@163.com>
Date: Wed, 2 Jul 2025 14:35:25 +0800
Subject: [PATCH] =?UTF-8?q?fix=20=E4=BF=AE=E5=A4=8D=20=E6=9C=89=E6=9F=90?=
 =?UTF-8?q?=E4=BA=9B=E6=97=A0=E8=81=8A=E4=BA=BA=E5=A3=AB=20=E5=AF=B9?=
 =?UTF-8?q?=E4=B8=80=E4=B8=AAdemo=E6=A1=88=E4=BE=8B=E6=8F=90=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E=20CVE-2025-6925?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../org/dromara/demo/controller/MailController.java   | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java b/ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java
index 01f50449f..9ea7143e2 100644
--- a/ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java
+++ b/ruoyi-modules/ruoyi-demo/src/main/java/org/dromara/demo/controller/MailController.java
@@ -44,11 +44,11 @@ public class MailController {
      * @param to       接收人
      * @param subject  标题
      * @param text     内容
-     * @param filePath 附件路径
      */
     @GetMapping("/sendMessageWithAttachment")
-    public R<Void> sendMessageWithAttachment(String to, String subject, String text, String filePath) {
-        MailUtils.sendText(to, subject, text, new File(filePath));
+    public R<Void> sendMessageWithAttachment(String to, String subject, String text) {
+        // 附件路径 禁止前端传递 有任意读取系统文件风险
+        MailUtils.sendText(to, subject, text, new File("/xxx/xxx"));
         return R.ok();
     }
 
@@ -58,10 +58,11 @@ public class MailController {
      * @param to       接收人
      * @param subject  标题
      * @param text     内容
-     * @param paths    附件路径
      */
     @GetMapping("/sendMessageWithAttachments")
-    public R<Void> sendMessageWithAttachments(String to, String subject, String text, String[] paths) {
+    public R<Void> sendMessageWithAttachments(String to, String subject, String text) {
+        // 附件路径 禁止前端传递 有任意读取系统文件风险
+        String[] paths = new String[]{"/xxx/xxx", "/xxx/xxx"};
         File[] array = Arrays.stream(paths).map(File::new).toArray(File[]::new);
         MailUtils.sendText(to, subject, text, array);
         return R.ok();