使用过滤器过滤特殊字符，在解决web系统安全漏洞时经常用到

新建一个过滤器类CheckStringFilter ，进行访问路径中传参特殊字符过滤。

 

package com.cwc.filter;

import java.io.IOException;
import java.util.Date;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;

import com.cwc.util.StringUtil;

/**
*
* @author chunxiu@orientalwisdom.com
*
*/
public class CheckStringFilter implements Filter {
private static Logger log = Logger.getLogger("PLATFORM");
private FilterConfig config;
private String filterConfig;

public void destroy() {
this.config = null;
filterConfig = null;
}

public void doFilter(ServletRequest servletrequest, ServletResponse servletresponse,
FilterChain filterchain) throws IOException, ServletException {
try
{
HttpServletRequest req = (HttpServletRequest)servletrequest;
HttpServletResponse resp = (HttpServletResponse)servletresponse;
String currentURL = StringUtil.getCurrentURL(req); //当前访问URL
log.info(new Date() +" currentURL:"+currentURL);
System.out.println(filterConfig);
String[] list = filterConfig.split(",");
boolean flag = true;
if(currentURL!=null&&!"".equals(currentURL)){
flag = StringUtil.checkStringValue(currentURL,list);
}

if(flag){

//获得所有request中的参数
// Map map = req.getParameterMap();
// Set key = map.keySet();
// for(Object object: key.toArray()){
// String parakey = object.toString();
// String paravalue = ((String[])map.get(object))[0];
// System.out.println("key="+parakey+" paravalue="+paravalue);
// flag = StringUtil.checkStringValue(paravalue,list);
// if(!flag){
// log.error(new Date()+" error Parameter: "+"key="+parakey+" paravalue="+paravalue);
// break;
// }
// }
}else{
log.error(new Date()+" error currentURL:"+currentURL);
}
if(!flag){
//resp.sendRedirect("./404.html"); 

//如果不设置直接return就返回一个空白页面

return;
}else{
filterchain.doFilter(servletrequest, servletresponse);
}
} catch (Exception e) {
e.printStackTrace();
log.error("OrgChangeFilter error:" + e);
}
}

public void init(FilterConfig filterconfig) throws ServletException {
this.config = filterconfig;
filterConfig = filterconfig.getInitParameter("regexp");

}

public FilterConfig getFilterConfig() {
return config;
}

}

 //////////////////////////////StringUtil.java////////////////////////////

public static boolean checkStringValue(String str,String[] list){
  boolean flag = true;

  str = URLEncoder.encode(st);
  if(str!=null&&!"".equals(str)){
   for(int i=0;i<list.length;i++){
    if(str.indexOf(list[i])>-1){
     flag = false;
    }
   }
  }
  return flag;
 }

////////////////////////////////////////////////////////////////////////////////

在web.xml中加入

<filter>
<filter-name>CheckStringFilter</filter-name>
<filter-class>com.cwc.filter.CheckStringFilter
</filter-class>
<init-param>
<param-name>regexp</param-name>

<!-- 将特殊字符转换成decoder  -->
<param-value>%3c,%3e,%3b,%2b,%2a,%23,%7c,%28,%29,%27,%24</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>CheckStringFilter</filter-name>
<url-pattern>*.html</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CheckStringFilter</filter-name>
<url-pattern>/appController/*</url-pattern>
</filter-mapping>