前段时间Struts2出来一个编号CVE-2017-5638的漏洞,影响系统及版本:Struts 2.3.5 - Struts 2.3.31、Struts 2.5 - Struts 2.5.10!
项目经理简单修复了一下,他直接在配置文件中新增了这么个属性!
属性如下:
<constant name="struts.multipart.parser" value="cos"></constant>
也没测试,过了几天客户反应文件个图片不能上传了!叫我去看看,我一看发现后台报错了!
报错如下:
java.lang.RuntimeException: Unable to load bean org.apache.struts2.dispatcher.multipart.MultiPartRequest (cos) - [unknown location]
at com.opensymphony.xwork2.inject.ContainerBuilder$4.create(ContainerBuilder.java:132)
at com.opensymphony.xwork2.inject.ContainerImpl.getInstance(ContainerImpl.java:514)
at com.opensymphony.xwork2.inject.ContainerImpl.getInstance(ContainerImpl.java:524)
at com.opensymphony.xwork2.inject.ContainerImpl$9.call(ContainerImpl.java:555)
at com.opensymphony.xwork2.inject.ContainerImpl.callInContext(ContainerImpl.java:584)
Truncated. see log file for complete stacktrace
Caused By: Unable to load bean org.apache.struts2.dispatcher.multipart.MultiPartRequest (cos) - [unknown location]
at org.apache.struts2.config.BeanSelectionProvider$ObjectFactoryDelegateFactory.create(BeanSelectionProvider.java:468)
at com.opensymphony.xwork2.inject.ContainerBuilder$4.create(ContainerBuilder.java:130)
at com.opensymphony.xwork2.inject.ContainerImpl.getInstance(ContainerImpl.java:514)
at com.opensymphony.xwork2.inject.ContainerImpl.getInstance(ContainerImpl.java:524)
at com.opensymphony.xwork2.inject.ContainerImpl$9.call(ContainerImpl.java:555)
Truncated. see log file for complete stacktrace
后面各种百度,发现了这么一个博客!
博客链接:http://www.cnblogs.com/pigtail/archive/2013/02/12/2910348.html
其实当时红色部分提示的很清楚了,要加入相应的jra包!
后面又参考了博客:http://www.iteye.com/topic/316626
按照他写了一个实现类,加上配置文件
<!-- 配置cos文件上传的解析器 -->
<bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest" name="cos" class="com.nuchina.common.util.CosMultiPartRequest" />
准确的做法应该如下:
1.加入cos.jar
2.创建一个实现org.apache.struts2.dispatcher.multipart.MultiPartRequest接口的类
package com.nuchina.common.util;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.Enumeration;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.struts2.StrutsConstants;
import org.apache.struts2.dispatcher.multipart.MultiPartRequest;
import com.opensymphony.xwork2.inject.Inject;
import com.oreilly.servlet.MultipartRequest;
public class CosMultiPartRequest implements MultiPartRequest {
private MultipartRequest multi;
private String defaultEncoding;
private boolean maxSizeProvided;
private int maxSize;
@Inject(StrutsConstants.STRUTS_I18N_ENCODING)
public void setDefaultEncoding(String defaultEncoding) {
this.defaultEncoding = defaultEncoding;
}
@Inject(StrutsConstants.STRUTS_MULTIPART_MAXSIZE)
public void setMaxSize(String maxSize) {
this.maxSizeProvided = true;
this.maxSize = Integer.parseInt(maxSize);
}
@Override
public String[] getContentType(String fieldName) {
return new String[] { multi.getContentType(fieldName) };
}
@SuppressWarnings("unchecked")
@Override
public List getErrors() {
return Collections.EMPTY_LIST;
}
@Override
public File[] getFile(String fieldName) {
return new File[] { multi.getFile(fieldName) };
}
@Override
public String[] getFileNames(String fieldName) {
return new String[] { multi.getFile(fieldName).getName() };
}
@SuppressWarnings("unchecked")
@Override
public Enumeration<String> getFileParameterNames() {
return multi.getFileNames();
}
@Override
public String[] getFilesystemName(String name) {
return new String[] { multi.getFilesystemName(name) };
}
@Override
public String getParameter(String name) {
return multi.getParameter(name);
}
@SuppressWarnings("unchecked")
@Override
public Enumeration<String> getParameterNames() {
return multi.getParameterNames();
}
@Override
public String[] getParameterValues(String name) {
return multi.getParameterValues(name);
}
@Override
public void parse(HttpServletRequest request, String saveDir) throws IOException {
if (maxSizeProvided) {
multi = new MultipartRequest(request, saveDir, maxSize, defaultEncoding);
} else {
multi = new MultipartRequest(request, saveDir, defaultEncoding);
}
}
@Override
public void cleanUp() {
// TODO Auto-generated method stub
}
}
3.配置文件注册自己创建的bean
4.配置struts.multipart.parser属性为cos
<!-- 配置cos文件上传的解析器 -->
<bean type="org.apache.struts2.dispatcher.multipart.MultiPartRequest" name="cos" class="com.xxxxx.common.util.CosMultiPartRequest" />
<!--避免编号为CVE-2017-5638的该漏洞,-->
<!--影响系统及版本:Struts 2.3.5 - Struts 2.3.31、Struts 2.5 - Struts 2.5.10-->
<constant name="struts.multipart.parser" value="cos"></constant>