瀏覽代碼
dashboard: fix vulnerability of bypassing AuthFilter ACL control
- credit to anonymous reporter :) Signed-off-by: Eric Zhao <sczyh16@gmail.com>master
Eric Zhao
5 年之前
共有 1 個檔案被更改,包括 3 行新增 和 3 行删除
+ 3
- 3
sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java
查看文件
| @@ -75,10 +75,10 @@ public class AuthFilter implements Filter { | |||
| public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { | |||
| HttpServletRequest httpRequest = (HttpServletRequest) request; | |||
| String requestURI = httpRequest.getRequestURI(); | |||
| String servletPath = httpRequest.getServletPath(); | |||
| // Exclude the urls which needn't auth | |||
| if (authFilterExcludeUrls.contains(requestURI)) { | |||
| if (authFilterExcludeUrls.contains(servletPath)) { | |||
| chain.doFilter(request, response); | |||
| return; | |||
| } | |||
| @@ -94,7 +94,7 @@ public class AuthFilter implements Filter { | |||
| authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix; | |||
| } | |||
| if (requestURI.endsWith(authFilterExcludeUrlSuffix)) { | |||
| if (servletPath.endsWith(authFilterExcludeUrlSuffix)) { | |||
| chain.doFilter(request, response); | |||
| return; | |||
| } | |||
Loading…