wms / wms4_zhongputaicang · Commits

Commit 12ad80d539b4bf27aee4121d8d717eca92d4490e

Authored by zhangdaiscott
1 parent 5d093cb5

表字典接口存在SQL注入漏洞,增加签名拦截器 自定义组件验签失败 issues/I3XNK1

Inline Side-by-side
Showing 1 changed file with 17 additions and 7 deletions
jeecg-boot/jeecg-boot-base/jeecg-boot-base-core/src/main/java/org/jeecg/config/sign/util/HttpUtils.java
  View file @12ad80d
1 1 package org.jeecg.config.sign.util;
2 2  
3   -import com.alibaba.fastjson.JSONObject;
4   -import org.jeecg.common.util.oConvertUtils;
5   -import org.springframework.http.HttpMethod;
6   -
7   -import javax.servlet.http.HttpServletRequest;
8 3 import java.io.BufferedReader;
9 4 import java.io.IOException;
10 5 import java.io.InputStreamReader;
... ... @@ -15,12 +10,21 @@ import java.util.Map;
15 10 import java.util.SortedMap;
16 11 import java.util.TreeMap;
17 12  
  13 +import javax.servlet.http.HttpServletRequest;
  14 +
  15 +import lombok.extern.slf4j.Slf4j;
  16 +import org.jeecg.common.util.oConvertUtils;
  17 +import org.springframework.http.HttpMethod;
  18 +
  19 +import com.alibaba.fastjson.JSONObject;
  20 +
18 21 /**
19 22 * http 工具类 获取请求中的参数
20 23 *
21 24 * @author jeecg
22 25 * @date 20210621
23 26 */
  27 +@Slf4j
24 28 public class HttpUtils {
25 29  
26 30 /**
... ... @@ -36,7 +40,10 @@ public class HttpUtils {
36 40 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
37 41 String pathVariable = request.getRequestURI().substring(request.getRequestURI().lastIndexOf("/") + 1);
38 42 if (pathVariable.contains(",")) {
39   - result.put(SignUtil.xPathVariable, pathVariable);
  43 + log.info(" pathVariable: {}",pathVariable);
  44 + String deString = URLDecoder.decode(pathVariable, "UTF-8");
  45 + log.info(" pathVariable decode: {}",deString);
  46 + result.put(SignUtil.xPathVariable, deString);
40 47 }
41 48 // 获取URL上的参数
42 49 Map<String, String> urlParams = getUrlParams(request);
... ... @@ -71,7 +78,10 @@ public class HttpUtils {
71 78 // 获取URL上最后带逗号的参数变量 sys/dict/getDictItems/sys_user,realname,username
72 79 String pathVariable = url.substring(url.lastIndexOf("/") + 1);
73 80 if (pathVariable.contains(",")) {
74   - result.put(SignUtil.xPathVariable, pathVariable);
  81 + log.info(" pathVariable: {}",pathVariable);
  82 + String deString = URLDecoder.decode(pathVariable, "UTF-8");
  83 + log.info(" pathVariable decode: {}",deString);
  84 + result.put(SignUtil.xPathVariable, deString);
75 85 }
76 86 // 获取URL上的参数
77 87 Map<String, String> urlParams = getUrlParams(queryString);
... ...