过滤器解决Struts2重定向漏洞
编写过滤器控制类
package cn.csservice.cssdj.action.filter; import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * 自定义过滤器: * 解决struts2重定向开放漏洞 * @author shenqz * */ public class MyFilter implements Filter{ @Override public void init(FilterConfig filterConfig) throws ServletException { } @Override public void doFilter(ServletRequest requ, ServletResponse resp, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) requ; HttpServletResponse response = (HttpServletResponse) resp; //获取url StringBuffer url = request.getRequestURL(); //获取参数 String param = request.getQueryString(); if(request.getQueryString() != null){ String path = null; int index = param.indexOf("redirect"); if(index > 0){ path = url.append("?"+param.substring(0, index)).toString(); int index2 = path.lastIndexOf("&"); if(index2 != -1){ response.sendRedirect(path.substring(0, path.length()-1)); return; }else{ response.sendRedirect(path); return; } }else if(index == 0){ response.sendRedirect(url.toString()); return; } } chain.doFilter(request, response); } @Override public void destroy() { } }
在web.xml中配置过滤器
<!-- 解决struts2重定向开放漏洞 -->
<filter>
<filter-name>myfilter</filter-name>
<filter-class>
cn.csservice.cssdj.action.filter.MyFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>myfilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
