The request was rejected because the URL contained a potentially malicious String ";"报错解决

最新推荐文章于 2024-06-04 21:27:13 发布

weixin_30664615

最新推荐文章于 2024-06-04 21:27:13 发布

阅读量1.3w

点赞数

文章标签： java php

原文链接：http://www.cnblogs.com/zaid/p/11211394.html

版权

报错信息

浏览器中看到的报错

安全问题

错误摘要：
The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
    at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
    at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:748)

环境信息

Springboot2.0 + Spring Security

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**
 * <p>
 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
 * is to disable this behavior because it is a common way of attempting to perform
 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.
 * It is also the source of many exploits which bypass URL based security.
 * </p>
 * <p>For example, the following CVEs are a subset of the issues related
 * to ambiguities in the Servlet Specification on how to treat semicolons that
 * led to CVEs:
 * </p>
 * <ul>
 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
 * </ul>
 *
 * <p>
 * If you are wanting to allow semicolons, please reconsider as it is a very common
 * source of security bypasses. A few common reasons users want semicolons and
 * alternatives are listed below:
 * </p>
 * <ul>
 * <li>Including the JSESSIONID in the path - You should not include session id (or
 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
 * </li>
 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
 * using HTTP parameters instead.
 * </li>
 * </ul>
 *
 * @param allowSemicolon should semicolons be allowed in the URL. Default is false
 */
public void setAllowSemicolon(boolean allowSemicolon) {
    if (allowSemicolon) {
        urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
    } else {
        urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
    }
}

这里提到了，如果您想要分号，请重新考虑，因为它是安全绕过的一个非常常见的来源。下面列出了用户需要分号和替代品的一些常见原因：
在路径中包含JSESSIONID - 您不应在URL中包含会话ID（或任何敏感信息），因为它可能导致泄漏。而是使用Cookies。

解决方案

@SpringBootApplication
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @Bean
    public HttpFirewall allowUrlSemicolonHttpFirewall() {
        StrictHttpFirewall firewall = new StrictHttpFirewall();
        firewall.setAllowSemicolon(true);
        return firewall;
    }
}

放开了该安全限制，就不会遇到该报错了，不适合对于安全性要求非常高的应用。

转载于:https://www.cnblogs.com/zaid/p/11211394.html

weixin_30664615

关注

0
点赞
踩
4

收藏

觉得还不错? 一键收藏
0
评论
The request was rejected because the URL contained a potentially malicious String ";"报错解决

报错信息浏览器中看到的报错错误摘要：The request was rejected because the URL contained a potentially malicious String ";"从控制台看到的报错2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for ...
复制链接

扫一扫