From ac8aaa132393dda95972ec69093b13a74e814735 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B4=94=E5=BF=97=E9=98=B3?= <1459645586@qq.com> Date: Thu, 29 Aug 2024 10:34:38 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=AD=A3XSS=E6=B3=A8=E5=85=A5?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E:=E5=A4=84=E7=90=86noTrustHost=E6=97=B6?= =?UTF-8?q?=E7=9B=AE=E6=A0=87host=E4=B8=BAhtml=E5=AD=97=E7=AC=A6=E4=B8=B2?= =?UTF-8?q?=E9=97=AE=E9=A2=98,=E5=AF=B9html=E5=AD=97=E7=AC=A6=E4=B8=B2?= =?UTF-8?q?=E8=BF=9B=E8=A1=8C=E8=BD=AC=E4=B9=89?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 复现步骤: 1. application.properties 中trust.host 指定一个host,如10.0.0.1 2.使用如下文件地址访问: picturesPreview?url=aHR0cDovLzxpbWcgc3JjPTEgb25lcnJvcj1hbGVydCgxKT4vMS5qcGc= 【该base64解码为】 3.复现情况:预览该文件浏览器将会弹出alert(1); --- server/src/main/java/cn/keking/web/filter/TrustHostFilter.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java index e40120471..542c24652 100644 --- a/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java +++ b/server/src/main/java/cn/keking/web/filter/TrustHostFilter.java @@ -12,6 +12,7 @@ import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; +import fr.opensagres.xdocreport.core.utils.StringEscapeUtils; import org.apache.commons.collections4.CollectionUtils; import org.springframework.core.io.ClassPathResource; import org.springframework.util.FileCopyUtils; @@ -42,7 +43,7 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha String host = WebUtils.getHost(url); assert host != null; if (isNotTrustHost(host)) { - String html = this.notTrustHostHtmlView.replace("${current_host}", host); + String html = this.notTrustHostHtmlView.replace("${current_host}", StringEscapeUtils.escapeHtml(host)); response.getWriter().write(html); response.getWriter().close(); } else {