From 6f5ede80ae0df34d8063d475204629c3fce50927 Mon Sep 17 00:00:00 2001
From: Eric Zhao <sczyh16@gmail.com>
Date: Wed, 11 Sep 2019 22:29:01 +0800
Subject: [PATCH] dashboard: fix vulnerability of bypassing AuthFilter ACL
 control

- credit to anonymous reporter :)

Signed-off-by: Eric Zhao <sczyh16@gmail.com>
---
 .../alibaba/csp/sentinel/dashboard/filter/AuthFilter.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java b/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java
index 45972c4f..6a809b9a 100644
--- a/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java
+++ b/sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java
@@ -75,10 +75,10 @@ public class AuthFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
         HttpServletRequest httpRequest = (HttpServletRequest) request;
 
-        String requestURI = httpRequest.getRequestURI();
+        String servletPath = httpRequest.getServletPath();
 
         // Exclude the urls which needn't auth
-        if (authFilterExcludeUrls.contains(requestURI)) {
+        if (authFilterExcludeUrls.contains(servletPath)) {
             chain.doFilter(request, response);
             return;
         }
@@ -94,7 +94,7 @@ public class AuthFilter implements Filter {
                 authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix;
             }
 
-            if (requestURI.endsWith(authFilterExcludeUrlSuffix)) {
+            if (servletPath.endsWith(authFilterExcludeUrlSuffix)) {
                 chain.doFilter(request, response);
                 return;
             }