crabapples
/
Sentinel
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

dashboard: fix vulnerability of bypassing AuthFilter ACL control 

- credit to anonymous reporter :)

Signed-off-by: Eric Zhao <sczyh16@gmail.com>
This commit is contained in:
Eric Zhao 2019-09-11 22:29:01 +08:00
parent 4c0e35fddd
commit 6f5ede80ae
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
sentinel-dashboard/src/main/java/com/alibaba/csp/sentinel/dashboard/filter/AuthFilter.java
View File

@ -75,10 +75,10 @@ public class AuthFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest httpRequest = (HttpServletRequest) request; HttpServletRequest httpRequest = (HttpServletRequest) request;
String requestURI = httpRequest.getRequestURI(); String servletPath = httpRequest.getServletPath();
// Exclude the urls which needn't auth // Exclude the urls which needn't auth
if (authFilterExcludeUrls.contains(requestURI)) { if (authFilterExcludeUrls.contains(servletPath)) {
chain.doFilter(request, response); chain.doFilter(request, response);
return; return;
} }
@ -94,7 +94,7 @@ public class AuthFilter implements Filter {
authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix; authFilterExcludeUrlSuffix = URL_SUFFIX_DOT + authFilterExcludeUrlSuffix;
} }
if (requestURI.endsWith(authFilterExcludeUrlSuffix)) { if (servletPath.endsWith(authFilterExcludeUrlSuffix)) {
chain.doFilter(request, response); chain.doFilter(request, response);
return; return;
} }