如何配置Spring MVC防止“基于路径的漏洞" [英] How to configure Spring MVC to prevent "Path-Based Vulnerability"
问题描述
我有一个 Spring MVC (5.0.8.RELEASE) 应用程序,最近的安全扫描表明它具有基于路径的漏洞".这是控制器:
I have a Spring MVC (5.0.8.RELEASE) application and a recent security scan indicates that it has "Path-Based Vulnerability". Here is the controller:
@RequestMapping(value = "/faq", method = RequestMethod.GET)
public String faq(HttpServletRequest request) {
return "faq";
}
对于上述控制器,这是我的常见问题页面的有效网址:
For the above controller, here is the valid url for my FAQ page:
但是,根据安全扫描和我测试的结果,以下网址也有效:
However, based on the security scan and what I tested, the following url works too:
http://example.com/faq.anything
如何配置 Spring MVC 使 http://example.com/faq 成为唯一有效的网址?(假设我不使用@PathVariable)
How can I configure Spring MVC to make http://example.com/faq to the only valid URL? (suppose that I don't use @PathVariable)
推荐答案
因为 spring 支持后缀.*"默认./person 也映射到/person.*/person.xml 或/person.pdf 或/person.any 也被映射.- 要完全禁用文件扩展名,您必须同时设置:
Because spring support suffix ".*" default. /person is also mapped to /person.* /person.xml or /person.pdf or /person.any is also mapped. - To completely disable the use of file extensions, you must set both of these:
.useSuffixPatternMatching(false)
.useSuffixPatternMatching(false)
.favorPathExtension(false)
.favorPathExtension(false)
这篇关于如何配置Spring MVC防止“基于路径的漏洞"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!