简介
在安全漏洞中,有不安全的HTTP请求方式;
原因:
1、Tomcat PUT 的上传漏洞,受影响的版本:Apache Tomcat 7.0.0 to 7.0.79
2、 Nginx 在开启 WebDAV 模式下,如果未配置认证模式,攻击者可以通过自由上传文件方法上传木马攻击服务器。
整改建议:
禁止使用GET、POST以外的HTTP方法,如PUT、DELETE、TRACE等
vue和springboot的解决方式
处理方式:
1、前端在遇到put/delete方法的时候,将该方法改为post方法,然后添加请求头X-HTTP-Method-Override
,将真实的请求方式放入;
2、后端:编写过滤器,如果方法是post方法,且有X-HTTP-Method-Override
参数的,然后重新转到对应的方法
vue
if (config.method.toLowerCase() === 'put') {
config.method = 'post'
config.headers['X-HTTP-Method-Override'] = 'put'
} else if (config.method.toLowerCase() === 'delete') {
config.method = 'post'
config.headers['X-HTTP-Method-Override'] = 'delete'
}
后端
package com.eshore.framework.security.filter;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.filter.RequestContextFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Locale;
@Component
//这里使用RequestContextFilter,OncePerRequestFilter有时会不生效
public class HttpMethodOverrideHeaderFilter extends RequestContextFilter {
private static final String X_HTTP_METHOD_OVERRIDE_HEADER = "X-HTTP-Method-Override";
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
String headerValue = request.getHeader(X_HTTP_METHOD_OVERRIDE_HEADER);
if (RequestMethod.POST.name().equalsIgnoreCase(request.getMethod()) && StringUtils.hasLength(headerValue)) {
String method = headerValue.toUpperCase(Locale.ENGLISH);
HttpServletRequest wrapper = new HttpMethodRequestWrapper(request, method);
filterChain.doFilter(wrapper, response);
}
else {
filterChain.doFilter(request, response);
}
}
private static class HttpMethodRequestWrapper extends HttpServletRequestWrapper {
private final String method;
public HttpMethodRequestWrapper(HttpServletRequest request, String method) {
super(request);
this.method = method;
}
@Override
public String getMethod() {
return this.method;
}
}
}