Просмотр исходного кода

dashboard: fix vulnerability of bypassing AuthFilter ACL control

- credit to anonymous reporter :)

Signed-off-by: Eric Zhao <sczyh16@gmail.com>
master
Eric Zhao 5 лет назад
Родитель
Сommit
6f5ede80ae
1 измененных файлов: 3 добавлений и 3 удалений
  1. +3
    -3
      sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java

+ 3
- 3
sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java Просмотреть файл

@@ -75,10 +75,10 @@ public class AuthFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request;

String requestURI = httpRequest.getRequestURI();
String servletPath = httpRequest.getServletPath();

// Exclude the urls which needn't auth
if (authFilterExcludeUrls.contains(requestURI)) {
if (authFilterExcludeUrls.contains(servletPath)) {
chain.doFilter(request, response);
return;
}
@@ -94,7 +94,7 @@ public class AuthFilter implements Filter {
authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix;
}

if (requestURI.endsWith(authFilterExcludeUrlSuffix)) {
if (servletPath.endsWith(authFilterExcludeUrlSuffix)) {
chain.doFilter(request, response);
return;
}


Загрузка…
Отмена
Сохранить