"
应用上有个漏洞,漏洞如下
在web.xml中添加过滤器
<!-- 修复Struts OGNL控制面板泄露漏洞,添加访问过滤,过滤掉问题链接 --> <filter> <filter-name>ognlFilter</filter-name> <filter-class>OgnlFilter</filter-class> </filter> <filter-mapping> <filter-name>ognlFilter</filter-name> <url-pattern>*/struts/webconsole.html</url-pattern> </filter-mapping>
import java.io.IOException; import javax.servlet.Filter; import javax.servlet.FilterChain; import javax.servlet.FilterConfig; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * @author weber * Struts OGNL控制面板泄露漏洞链接过滤 * */ public class OgnlFilter implements Filter{ @Override public void destroy() { } @Override public void doFilter(ServletRequest request, ServletResponse response, FilterChain arg2) throws IOException, ServletException { HttpServletRequest req = (HttpServletRequest) request; HttpServletResponse resp = (HttpServletResponse) response; //跳转到错误界面 resp.sendRedirect("/404.jsp"); } @Override public void init(FilterConfig arg0) throws ServletException { } }
"
不需要这么麻烦.
解决办法:二选一或保险点两个都做了
1.升级
2.添加排除:struts.xml中:(或properties里)
<constant name="struts.devMode" value="false" /> <constant name="struts.action.excludePattern" value="/struts/webconsole.html,/struts/webconsole.js,/struts/webconsole.css"/>
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。