From 1059b7376b5e5562fea26dd7cfb2e4a21469185a Mon Sep 17 00:00:00 2001
From: zengqiao <zengqiao@didiglobal.com>
Date: Tue, 6 Apr 2021 10:01:29 +0800
Subject: [PATCH] forbiden request when uri contain ..

---
 .../kafka/manager/account/impl/LoginServiceImpl.java          | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
index 91af67b3..92ccce58 100644
--- a/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
+++ b/kafka-manager-extends/kafka-manager-account/src/main/java/com/xiaojukeji/kafka/manager/account/impl/LoginServiceImpl.java
@@ -65,8 +65,8 @@ public class LoginServiceImpl implements LoginService {
     @Override
     public boolean checkLogin(HttpServletRequest request, HttpServletResponse response) {
         String uri = request.getRequestURI();
-        if (uri.contains("./") || uri.contains("///")) {
-            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal, contains ../ or ./ or ///||uri={}", uri);
+        if (uri.contains("..") || uri.contains("./") || uri.contains("///")) {
+            LOGGER.error("class=LoginServiceImpl||method=checkLogin||msg=uri illegal, contains .. or ./ or ///||uri={}", uri);
             singleSignOn.setRedirectToLoginPage(response);
             return false;
         }
-- 
GitLab