Spring hybris 中基于路径的漏洞
Path based vulnerability in Spring hybris
我们在 Qualys 报告中发现了基于路径的漏洞问题。我已经完成了诸如 之类的 Whosebug 问题,并将 useDefaultSuffixPattern 配置为 false,如下所示。
我仍然能够使用 /about.anything 加载页面,即使在控制器中我给出了 @RequestMapping(value = "/about")
我们是否需要更新任何其他配置来阻止这种情况发生?
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="order" value="0" />
<!-- Set whether to register paths using the default suffix pattern as
well: i.e. whether "/users" should be registered as "/users.*" and "/users/"
too. Default is "true". Turn this convention off if you intend to interpret
your @RequestMapping paths strictly. Note that paths which include a ".xxx"
suffix or end with "/" already will not be transformed using the default
suffix pattern in any case. -->
<property name="useDefaultSuffixPattern" value="false" />
<property name="pathMatcher" ref="pathMatcher" />
</bean>
我们使用的是hybris 1811版本
这可能是因为 inherent bug in Spring 忽略了 URL 中点 (.) 之后的所有内容。
要解决此问题,您必须创建 path variable pattern for GET call in your controller more rigid。
我们在 Qualys 报告中发现了基于路径的漏洞问题。我已经完成了诸如
我仍然能够使用 /about.anything 加载页面,即使在控制器中我给出了 @RequestMapping(value = "/about")
我们是否需要更新任何其他配置来阻止这种情况发生?
<bean
class="org.springframework.web.servlet.mvc.annotation.DefaultAnnotationHandlerMapping">
<property name="order" value="0" />
<!-- Set whether to register paths using the default suffix pattern as
well: i.e. whether "/users" should be registered as "/users.*" and "/users/"
too. Default is "true". Turn this convention off if you intend to interpret
your @RequestMapping paths strictly. Note that paths which include a ".xxx"
suffix or end with "/" already will not be transformed using the default
suffix pattern in any case. -->
<property name="useDefaultSuffixPattern" value="false" />
<property name="pathMatcher" ref="pathMatcher" />
</bean>
我们使用的是hybris 1811版本
这可能是因为 inherent bug in Spring 忽略了 URL 中点 (.) 之后的所有内容。
要解决此问题,您必须创建 path variable pattern for GET call in your controller more rigid。