!253 修复：非法请求使过滤器失效，出现严重安全问题

* BaseUrlFilter 修改过滤全部路径,保证 BaseUrlFilter 优于UrlCheckFilter 执行 * 清除无用 html * 非法请求过滤器: 修复请求 path 中包含 // 或者以 / 结尾导致其它过滤器失效，对请求进行重定向 * 非法请求过滤器: 替换 getRequestURI() 为 getServletPath() * 非法请求过滤器: 截取 context-path * 非法请求过滤器: 去除 context-path * 非法请求过滤器: 排除首页path "/" * 非法请求过滤器: 请求地址中包含"//"或者以"/"结尾时导致其他过滤器失效，比如 TrustHostFilter
2025-10-15 18:55:02 +08:00 · 2024-02-21 02:56:54 +00:00
parent bef81a940e
commit 448a700687
2 changed files with 64 additions and 4 deletions
--- a/server/src/main/java/cn/keking/config/WebConfig.java
+++ b/server/src/main/java/cn/keking/config/WebConfig.java
@@ -30,11 +30,13 @@ public class WebConfig implements WebMvcConfigurer {
        registry.addResourceHandler("/**").addResourceLocations("classpath:/META-INF/resources/","classpath:/resources/","classpath:/static/","classpath:/public/","file:" + filePath);
    }

+
    @Bean
    public FilterRegistrationBean<ChinesePathFilter> getChinesePathFilter() {
        ChinesePathFilter filter = new ChinesePathFilter();
        FilterRegistrationBean<ChinesePathFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(filter);
+        registrationBean.setOrder(10);
        return registrationBean;
    }

@@ -67,14 +69,20 @@ public class WebConfig implements WebMvcConfigurer {
    @Bean
    public FilterRegistrationBean<BaseUrlFilter> getBaseUrlFilter() {
        Set<String> filterUri = new HashSet<>();
-        filterUri.add("/index");
-        filterUri.add("/");
-        filterUri.add("/onlinePreview");
-        filterUri.add("/picturesPreview");
        BaseUrlFilter filter = new BaseUrlFilter();
        FilterRegistrationBean<BaseUrlFilter> registrationBean = new FilterRegistrationBean<>();
        registrationBean.setFilter(filter);
        registrationBean.setUrlPatterns(filterUri);
+        registrationBean.setOrder(20);
+        return registrationBean;
+    }
+
+    @Bean
+    public FilterRegistrationBean<UrlCheckFilter> getUrlCheckFilter() {
+        UrlCheckFilter filter = new UrlCheckFilter();
+        FilterRegistrationBean<UrlCheckFilter> registrationBean = new FilterRegistrationBean<>();
+        registrationBean.setFilter(filter);
+        registrationBean.setOrder(30);
        return registrationBean;
    }