Struts2 OGNL表达式注入漏洞解决
线上项目使用Struts2 版本2.3,需要升级版本,记录解决步骤,不确保其它项目都可以
- pom.xml
<struts.version>2.5.30</struts.version>
<!-- struts相关库 -->
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-core</artifactId>
<version>${struts.version}</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-config-browser-plugin</artifactId>
<version>${struts.version}</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-spring-plugin</artifactId>
<version>${struts.version}</version>
</dependency>
<dependency>
<groupId>org.apache.struts</groupId>
<artifactId>struts2-json-plugin</artifactId>
<version>${struts.version}</version>
</dependency>
- web.xml
<filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
替换成
<filter-class>org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter</filter-class>
- struts.xml
2.1 > 2.5
package
添加 strict-method-invocation=“false” 属性
添加 global-allowed-methods
如下
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.1//EN""http://struts.apache.org/dtds/struts-2.1.dtd">
替换成
<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN" "http://struts.apache.org/dtds/struts-2.5.dtd">
<package name="root" extends="default" namespace="/" strict-method-invocation="false">
<default-interceptor-ref name="myStack" />
<global-allowed-methods>regex:.*</global-allowed-methods>
</package>
- 拦截器 参数处理
Map<String, Object> parameters = invocation.getInvocationContext().getParameters();
ActionContext ac = invocation.getInvocationContext();
ValueStack stack = ac.getValueStack();
for (Map.Entry<String, Object> map : parameters.entrySet()) {
Object[] obj = (Object[]) map.getValue();// 获取传入的参数值是否有非法,xss攻击
stack.setValue(map.getKey(), xssEncode(obj[0].toString()));
}
修改为
HttpParameters parameters = invocation.getInvocationContext().getParameters();
ActionContext ac = invocation.getInvocationContext();
ValueStack stack = ac.getValueStack();
for (Map.Entry<String, Parameter> map : parameters.entrySet()) {
Parameter obj = map.getValue();// 获取传入的参数值是否有非法,xss攻击
stack.setValue(map.getKey(), xssEncode(obj.getValue()));
}
编译部署,启动成功
补充
网址访问存在 https 访问变为 http
需要再tomcat server.xml中 修改这一部分
<Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"
URIEncoding="UTF-8" secure="true" scheme="https" proxyPort="443"/>