Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

发现一个重大漏洞 #6

Open
929408183 opened this issue Dec 27, 2020 · 3 comments
Open

发现一个重大漏洞 #6

929408183 opened this issue Dec 27, 2020 · 3 comments
Assignees
@Linn-cn
Labels
bug Something isn't working

Comments

@929408183
Copy link

929408183 commented Dec 27, 2020
edited
Loading

可以通过 //admin路径开头跳过登录拦截器,访问后台接口,接口能够正常访问。
例如:
post http://127.0.0.1//admin/v1/blogConfig/add
参数
configField=111
configName=111
configValue=111
无需登录即可访问接口
image
@929408183
Copy link
Author

if (uri.startsWith("/admin") && null == request.getSession().getAttribute("loginUserId"))
去掉这个 uri.startsWith("/admin")即可
@Linn-cn
Copy link
Collaborator

Linn-cn commented Dec 27, 2020

if (uri.startsWith("/admin") && null == request.getSession().getAttribute("loginUserId"))
去掉这个 uri.startsWith("/admin")即可

收到,但我觉得这样解决更好,如下:
Pattern pattern = Pattern.compile("\\b/admin\\b");
pattern.matcher(uri).find()
因为这个拦截器只针对后台,直接去掉uri.startsWith(“ / admin”)之后就变成拦截全部了
@Linn-cn Linn-cn self-assigned this Dec 27, 2020
@Linn-cn Linn-cn added the bug Something isn't working label Dec 27, 2020
@929408183
Copy link
Author

在配置类中配置了拦截路径,//admin/xxx也不会放行
// 添加一个拦截器,拦截以/admin为前缀的url路径 后台管理登录拦截
registry.addInterceptor(adminLoginInterceptor)
.addPathPatterns("/admin/")
.excludePathPatterns("/admin/v1/login")
.excludePathPatterns("/admin/v1/reload")
.excludePathPatterns("/admin/dist/")
.excludePathPatterns("/admin/plugins/")
.excludePathPatterns("/X-admin/");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
2 participants
@929408183 @Linn-cn