使用过滤器过滤特殊字符,在解决web系统安全漏洞时经常用到
新建一个过滤器类CheckStringFilter ,进行访问路径中传参特殊字符过滤。
package com.cwc.filter;
import java.io.IOException;
import java.util.Date;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import com.cwc.util.StringUtil;
/**
*
* @author chunxiu@orientalwisdom.com
*
*/
public class CheckStringFilter implements Filter {
private static Logger log = Logger.getLogger("PLATFORM");
private FilterConfig config;
private String filterConfig;
public void destroy() {
this.config = null;
filterConfig = null;
}
public void doFilter(ServletRequest servletrequest, ServletResponse servletresponse,
FilterChain filterchain) throws IOException, ServletException {
try
{
HttpServletRequest req = (HttpServletRequest)servletrequest;
HttpServletResponse resp = (HttpServletResponse)servletresponse;
String currentURL = StringUtil.getCurrentURL(req); //当前访问URL
log.info(new Date() +" currentURL:"+currentURL);
System.out.println(filterConfig);
String[] list = filterConfig.split(",");
boolean flag = true;
if(currentURL!=null&&!"".equals(currentURL)){
flag = StringUtil.checkStringValue(currentURL,list);
}
if(flag){
//获得所有request中的参数
// Map map = req.getParameterMap();
// Set key = map.keySet();
// for(Object object: key.toArray()){
// String parakey = object.toString();
// String paravalue = ((String[])map.get(object))[0];
// System.out.println("key="+parakey+" paravalue="+paravalue);
// flag = StringUtil.checkStringValue(paravalue,list);
// if(!flag){
// log.error(new Date()+" error Parameter: "+"key="+parakey+" paravalue="+paravalue);
// break;
// }
// }
}else{
log.error(new Date()+" error currentURL:"+currentURL);
}
if(!flag){
//resp.sendRedirect("./404.html");
//如果不设置直接return就返回一个空白页面
return;
}else{
filterchain.doFilter(servletrequest, servletresponse);
}
} catch (Exception e) {
e.printStackTrace();
log.error("OrgChangeFilter error:" + e);
}
}
public void init(FilterConfig filterconfig) throws ServletException {
this.config = filterconfig;
filterConfig = filterconfig.getInitParameter("regexp");
}
public FilterConfig getFilterConfig() {
return config;
}
}
//////////////////////////////StringUtil.java////////////////////////////
public static boolean checkStringValue(String str,String[] list){
boolean flag = true;
str = URLEncoder.encode(st);
if(str!=null&&!"".equals(str)){
for(int i=0;i<list.length;i++){
if(str.indexOf(list[i])>-1){
flag = false;
}
}
}
return flag;
}
////////////////////////////////////////////////////////////////////////////////
在web.xml中加入
<filter>
<filter-name>CheckStringFilter</filter-name>
<filter-class>com.cwc.filter.CheckStringFilter
</filter-class>
<init-param>
<param-name>regexp</param-name>
<!-- 将特殊字符转换成decoder -->
<param-value>%3c,%3e,%3b,%2b,%2a,%23,%7c,%28,%29,%27,%24</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CheckStringFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CheckStringFilter</filter-name>
<url-pattern>/appController/*</url-pattern>
</filter-mapping>