带有Spring RequestMapping路径参数的编码Precent(%25)给出了HTTP 400

时间:2018-11-14 12:41:31

标签: spring spring-boot spring-security spring-data-jpa

我创建了一个控制器来进行数据搜索。但是当我死于关键字'%'时,它将返回HTTP 400错误。 这是控制者:

@RequestMapping(value = "/search/{txtKeyWord}")
public String pageVipStory(@PathVariable("txtKeyWord") String txtKeyWord, Model model) {
     logger.info("Keyword In URL: " + txtKeyWord);
     model.addAttribute("txtKeyWord", txtKeyWord);
     model.addAttribute("txtKeyWordEndCode", UriUtils.encode(txtKeyWord, "UTF-8"));
     getMenuAndInfo(model, "Search " + txtKeyWord);

     return "web/searchPage";
}

通过链接:“ http://localhost:8080/search/%25”,错误消息:

  

org.springframework.security.web.firewall.RequestRejectedException:   该请求是       由于URL包含潜在的恶意字符串“%25”而被拒绝       在org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:325)   〜[spring-security-web-5.1.1.RELEASE.jar:5.1.1.RELEASE]         在org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:293)   〜[spring-security-web-5.1.1.RELEASE.jar:5.1.1.RELEASE]         在org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)   〜[spring-security-web-5.1.1.RELEASE.jar:5.1.1.RELEASE]         在org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)   〜[spring-security-web-5.1.1.RELEASE.jar:5.1.1.RELEASE]         在org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:92)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:93)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:154)   〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]         在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.filterAndRecordMetrics(WebMvcMetricsFilter.java:122)   〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]         在org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:107)   〜[spring-boot-actuator-2.1.0.BUILD-20181030.063958-621.jar:2.1.0.BUILD-SNAPSHOT]         在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)   〜[spring-web-5.1.2.RELEASE.jar:5.1.2.RELEASE]         在org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)   〜[tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:408)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.coyote.AbstractProtocol $ ConnectionHandler.process(AbstractProtocol.java:770)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.tomcat.util.net.NioEndpoint $ SocketProcessor.doRun(NioEndpoint.java:1415)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)   [na:1.8.0_172]         在java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:624)   [na:1.8.0_172]         在org.apache.tomcat.util.threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61)   [tomcat-embed-core-9.0.12.jar:9.0.12]         在java.lang.Thread.run(Thread.java:748)[na:1.8.0_172]

谁可以告诉我错误所在。以及如何克服呢?谢谢!

1 个答案:

答案 0 :(得分:2)

您可以使用您自定义的StrictHttpFirewall实例获得默认的Spring Security Firewall。

@Bean
public HttpFirewall allowUrlEncodedPercentHttpFirewall() {
    StrictHttpFirewall firewall = new StrictHttpFirewall();
    firewall.setAllowUrlEncodedPercent(true);
    return firewall;
}

请注意,这可能导致涉及双重URL编码的漏洞利用,从而绕过安全约束。

相关问题
最新问题