Ana Sayfa Keşfet Yardım
Giriş Yap
dromara
/
MaxKey
şunun yansıması https://gitee.com/dromara/MaxKey.git
2
0
Çatalla 0
Dosyalar Sorunlar 0 Wiki
Kaynağa Gözat

Xss

MaxKey 3 yıl önce
ebeveyn
50dd3ef566
işleme
02fcbc870c
2 değiştirilmiş dosya ile 13 ekleme ve 2 silme
Görünümü Böl Farklılık Durumunu Göster
  1. 12 2
      maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
  2. 1 0
      maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java

+ 12 - 2
maxkey-core/src/main/java/org/maxkey/web/WebXssRequestFilter.java
Dosyayı Görüntüle 

@@ -37,6 +37,7 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 
 	final static Logger _logger = LoggerFactory.getLogger(GenericFilterBean.class);	
 	
 	final static ConcurrentHashMap <String,String> skipUrlMap = new  ConcurrentHashMap <String,String>();
 
+	final static ConcurrentHashMap <String,String> skipParameterName = new  ConcurrentHashMap <String,String>();
 
 	
 	static {
 
 		//add or update
 
@@ -45,8 +46,6 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 
 		skipUrlMap.put("/institutions/update","/institutions/update");
 
 		skipUrlMap.put("/localization/update","/localization/update");
 
 		skipUrlMap.put("/apps/updateExtendAttr","/apps/updateExtendAttr");
 
-		skipUrlMap.put("/synchronizers/add","/synchronizers/add");
 
-		skipUrlMap.put("/synchronizers/update","/synchronizers/update");
 
 		
 		//authz
 
 		skipUrlMap.put("/authz/cas", "/authz/cas");
 
@@ -56,6 +55,15 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 
 		//TENCENT_IOA
 
 		skipUrlMap.put("/oauth2/authorize", "/oauth2/authorize");
 
 		
+		skipParameterName.put("relatedPassword", "relatedPassword");
 
+		skipParameterName.put("oldPassword", "oldPassword");
 
+		skipParameterName.put("password", "password");
 
+		skipParameterName.put("confirmpassword", "confirmpassword");
 
+		skipParameterName.put("credentials", "credentials");
 
+		skipParameterName.put("clientSecret", "clientSecret");
 
+		skipParameterName.put("appSecret", "appSecret");
 
+		skipParameterName.put("sharedSecret", "sharedSecret");
 
+		skipParameterName.put("secret", "secret");
 
 	}
 
 	
 	@Override
 
@@ -76,6 +84,8 @@ public class WebXssRequestFilter  extends GenericFilterBean {
 
 	        Enumeration<String> parameterNames = request.getParameterNames();
 
 	        while (parameterNames.hasMoreElements()) {
 
 	          String key = (String) parameterNames.nextElement();
 
+	          if(skipParameterName.containsKey(key)) {continue;}
 
+	          
 	          String value = request.getParameter(key);
 
 	          _logger.trace("parameter name "+key +" , value " + value);
 
 	          String tempValue = value;

+ 1 - 0
maxkey-webs/maxkey-web-mgt/src/main/java/org/maxkey/MaxKeyMgtMvcConfig.java
Dosyayı Görüntüle 

@@ -134,6 +134,7 @@ public class MaxKeyMgtMvcConfig implements WebMvcConfigurer {
 
                 .addPathPatterns("/ldapcontext/**")
 
                 .addPathPatterns("/emailsenders/**")
 
                 .addPathPatterns("/smsprovider/**")
 
+                .addPathPatterns("/synchronizers/**")
 
                 
                 ;