漏洞描述:
修复方式:
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
/**
* @author yi wei 渗透测试的Filter类
* @date create in 2021/11/30 10:43
**/
@Component
@javax.servlet.annotation.WebFilter(urlPatterns = "/", filterName = "WebFilter")
public class WebFilter implements Filter {
@Value("${allow-origin}")
private String allowOrigin;
@Override
public void init(FilterConfig filterConfig) {
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) servletResponse;
if (!allowOrigin.startsWith("http://") && !allowOrigin.startsWith("https://")) {
allowOrigin = "http://" + allowOrigin;
}
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, PATCH, DELETE, PUT");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers",
"Origin, X-Requested-With, Content-Type, Accept");
chain.doFilter(servletRequest, servletResponse);
}
@Override
public void destroy() {
}
}
注意代码中的 allowOrigin 为自己需要配置的IP地址;
此项目中我是放到了配置文件中使用,也可以代码中硬编码;
更多推荐
Access-Control-Allow-Origin漏洞解决
发布评论