Эхлэл Бүгдийг харах Тусламж
Бүртгүүлэх Нэвтрэх
ZhuJiaHao
/
zdqy_ibps
1
0
Салаа 0
Файлууд Асуудлууд 0 Хуулах хүсэлтүүд 0 Мэдлэгийн сан
Эх сурвалжийг харах

task-4611 川北剩余高中危漏洞处理
CORS(跨站资源共享)原始验证失败【原理扫描】漏洞修复
修复逻辑错误

xiexh 9 сар өмнө
parent
923f363a60
commit
88aa72e43b
1 өөрчлөгдсөн 17 нэмэгдсэн , 10 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 17 10
      ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/filter/CORSFilter.java

+ 17 - 10
ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/filter/CORSFilter.java
Файл харах 

@@ -43,23 +43,30 @@ public class CORSFilter implements Filter {
 
         // 1. 获取请求的 Origin(跨域请求会带这个头)
 
         String origin = httpRequest.getHeader("Origin");
 
 
-        // 2. 如果存在 Origin 且不是同源且没有配置白名单,直接拒绝
 
         //2. 存在启用的CORS跨域白名单配置
 
         String sql = " select id_,biao_ti_,can_shu_zhi_1_ from t_zlcsb where shi_fou_qi_yong_ = 1 and jian_zhi_='%s'";
 
         sql = String.format(sql,"CORS");
 
         Map<String,Object> corszlcs = commonDao.queryOne(sql);
 
-        if(BeanUtils.isEmpty(corszlcs)){//不启用
 
+        if(BeanUtils.isEmpty(corszlcs)){//不启用跨域访白名单控制
 
             filterChain.doFilter(httpRequest, response);
 
         }else{
 
-            String bmd = (String) corszlcs.get("can_shu_zhi_1_");
 
-            //if (origin != null && !origin.startsWith(httpRequest.getScheme() + "://" + httpRequest.getServerName())) {
 
-            if (origin != null && !bmd.contains(httpRequest.getServerName())) {
 
-                log.info("杂类参数表中配置的允许跨域访问的白名单不包括{},请联系管理员添加",httpRequest.getServerName());
 
-                response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403
 
-                response.getWriter().write("CORS not allowed ,please contract administrator");
 
-                return;
 
+            String bmd = "";
 
+            if(BeanUtils.isNotEmpty(corszlcs.get("can_shu_zhi_1_"))){
 
+                bmd = (String)corszlcs.get("can_shu_zhi_1_");
 
+            }
 
+            //非服务器同域名访问,需要校验白名单
 
+            if (origin != null && !origin.startsWith(httpRequest.getScheme() + "://" + httpRequest.getServerName())) {
 
+                if (!bmd.contains(httpRequest.getServerName())) {
 
+                    log.info("杂类参数表中配置的允许访问的白名单不包括{},请联系管理员添加",httpRequest.getServerName());
 
+                    response.setStatus(HttpServletResponse.SC_FORBIDDEN); // 403
 
+                    response.getWriter().write("CORS not allowed ,please contract administrator");
 
+                    return;
 
+                }
 
+                filterChain.doFilter(httpRequest, response);
 
+            }else{
 
+                //origin为空放行,或者前端域名和服务器域名相同也放行
 
+                filterChain.doFilter(httpRequest, response);
 
             }
 
-            filterChain.doFilter(httpRequest, response);
 
         }
 
 
     }