zoukankan      html  css  js  c++  java
  • URL存在http host头攻击漏洞-修复方案

    URL存在http host头攻击漏洞-修复方案

    spring boot使用注解的方式 --

    第一步:在自定义filter类上添加如下注释

    package com.cmcc.hy.mobile.config;
    
    import java.io.IOException;
    import java.util.Arrays;
    import java.util.List;
    import javax.servlet.Filter;
    import javax.servlet.FilterChain;
    import javax.servlet.FilterConfig;
    import javax.servlet.ServletException;
    import javax.servlet.ServletRequest;
    import javax.servlet.ServletResponse;
    import javax.servlet.annotation.WebFilter;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    import org.springframework.beans.factory.annotation.Value;
    
    /**
     * @author wangzhengrong
     * @date 2019/1/22 11:09
     */
    @WebFilter(filterName = "otherFilter")
    public class HostFilter implements Filter {
    
      /**
       * 自定义实现host白名单添加
       */
      @Value("${ALLOWED_SERVERNAMES}")
      private String ALLOWED_SERVERNAMES;
    
      @Override
      public void init(FilterConfig filterConfig) throws ServletException {
    //    System.out.println("Filter初始化中");
      }
    
      /**
       * host拦截
       */
      @Override
      public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
          FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
    //    String host = request.getHeader("host");
        String serverName = request.getServerName();
        System.out.println("serverName-debug:" + serverName);
        if (!isEmpty(serverName)) {
          if (checkBlankList(serverName)) {
            filterChain.doFilter(servletRequest, servletResponse);
          } else {
            System.out.println("[serverName deny access tips]->" + serverName);
    //        response.getWriter().print("host deny");
            response.setStatus(403);
            response.flushBuffer();
          }
        } else {
          filterChain.doFilter(servletRequest, servletResponse);
        }
    
      }
    
      @Override
      public void destroy() {
    //    System.out.println("Filter销毁");
      }
    
      /**
       * 校验当前host是否在白名单中
       */
      private boolean checkBlankList(String serverName) {
        String[] allowdServerName = ALLOWED_SERVERNAMES.split(",");
        List<String> serverNameList = Arrays.asList(allowdServerName);
        for(String str : serverNameList){
          if(!isEmpty(str) && str.equals(serverName)){
            return true;
          }
        }
        return false;
      }
    
      /**
       * 判空
       */
      public boolean isEmpty(Object str) {
        return str == null || "".equals(str);
      }
    
    }
    View Code 

    第二步:还需要在启动类上添加注释 @ServletComponentScan,以确保能扫描的Filter类,当然也可以指定该注解的basePackages属性。这里需要注意的是,使用这种方式时,不能像第一种方式那样指定filter顺序,使用Order注解也无效

  • 相关阅读:
    django系列5.4--ORM中执行原生SQL语句, Python脚本中调用django环境
    Cookie背景了解
    [leetcode] 832. Flipping an Image
    [leetcode] 888. Fair Candy Swap
    [leetcode] 66. Plus One
    0000:Deep Learning Papers Reading Roadmap
    [算法]时间复杂度
    [leetcode] 771. Jewels and Stones
    [cs231n] Convolutional Neural Networks for Visual Recognition
    推翻自己,从头来过
  • 原文地址:https://www.cnblogs.com/coder-wzr/p/10304110.html
Copyright © 2011-2022 走看看