情况:
当你接收的参数中有包含特殊字符的时候,就有可能出现日志伪造
String val = request.getParameter("val");
try {
int value = Integer.parseInt(val);
}catch (NumberFormatException nfe) {
log.info("Failed to parse val = " + val);
}
比如上面你接收的val=“abc”,那么日志输出为:
INFO: Failed to parse val=abc
但是如果接收的参数为val=abc%0a%0aINFO:+User+logged+out%3driemann,日志输出就会发生变化:
INFO: Failed to parse val=abc
INFO: User logged out=riemann
因为特殊字符有特殊意义,并不是当作普通字符串去处理了
解决办法:编写工具类,过滤掉特殊字符就行
/**
* Log Forging漏洞校验
* @param logs
* @return
*/
public static String vaildLog(String logs) {
List<String> list = new ArrayList<String>();
list.add("%0a");
list.add("%0A");
list.add("%0d");
list.add("%0D");
list.add("\r");
list.add("\n");
String normalize = Normalizer.normalize(logs, Normalizer.Form.NFKC);
for (String str : list) {
normalize = normalize.replace(str, "");
}
return normalize;
}
只用于记录笔记,避免遗忘