forbiden request when uri contain ..

1059b737 · zengqiao · f38ab4a9 · 1059b737
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java ...aojukeji/kafka/manager/account/impl/LoginServiceImpl.java +2 -2

未找到文件。
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
@@ -65,8 +65,8 @@ public class LoginServiceImpl implements LoginService {
    @Override
    public boolean checkLogin(HttpServletRequest request, HttpServletResponse response) {
        String uri = request.getRequestURI();
-        if (uri.contains("./") || uri.contains("///")) {
-            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal, contains ../ or ./ or ///||uri={}", uri);
+        if (uri.contains("..") || uri.contains("./") || uri.contains("///")) {
+            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal, contains .. or ./ or ///||uri={}", uri);
            singleSignOn.setRedirectToLoginPage(response);
            return false;
        }