报错信息

浏览器中看到的报错

错误摘要：

The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)

	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)

	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)

	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)

	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.lang.Thread.run(Thread.java:748)

环境信息

***Springboot2.0 + Spring Security ***

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**

 * <p>

 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default

 * is to disable this behavior because it is a common way of attempting to perform

 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.

 * It is also the source of many exploits which bypass URL based security.

 * </p>

 * <p>For example, the following CVEs are a subset of the issues related

 * to ambiguities in the Servlet Specification on how to treat semicolons that

 * led to CVEs:

 * </p>

 * <ul>

 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>

 * </ul>

 *

 * <p>

 * If you are wanting to allow semicolons, please reconsider as it is a very common

 * source of security bypasses. A few common reasons users want semicolons and

 * alternatives are listed below:

 * </p>

 * <ul>

 * <li>Including the JSESSIONID in the path - You should not include session id (or

 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.

 * </li>

 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider

 * using HTTP parameters instead.

 * </li>

 * </ul>

 *

 * @param allowSemicolon should semicolons be allowed in the URL. Default is false

 */

public void setAllowSemicolon(boolean allowSemicolon) {

	if (allowSemicolon) {

		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);

	} else {

		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);

	}

}

这里提到了，如果您想要分号，请重新考虑，因为它是安全绕过的一个非常常见的来源。下面列出了用户需要分号和替代品的一些常见原因：

在路径中包含JSESSIONID - 您不应在URL中包含会话ID（或任何敏感信息），因为它可能导致泄漏。而是使用Cookies。

解决方案

@SpringBootApplication

public class Application {

    public static void main(String[] args) {

        SpringApplication.run(Application.class, args);

    }

    @Bean

    public HttpFirewall allowUrlSemicolonHttpFirewall() {

        StrictHttpFirewall firewall = new StrictHttpFirewall();

        firewall.setAllowSemicolon(true);

        return firewall;

    }

}

放开了该安全限制，就不会遇到该报错了，不适合对于安全性要求非常高的应用。

The request was rejected because the URL contained a potentially malicious String ";"报错解决的更多相关文章

security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
今天有个接口打算使用矩阵变量来绑定参数,即使用@MatrixVariable注解来接收参数调用接口后项目报了如下错误 org.springframework.security.web.firewal ...
SpringBoot整合升级Spring Security 报错【The request was rejected because the URL was not normalized】
前言最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因. 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考 ...
spring boot The request was rejected because the URL was not normalized
升级spring boot 1.5.10.RELEASE 版本后,突然发现之前能Nginx代理能请求的地址抛如下异常: org.springframework.security.web.firewal ...
XmlDocument.Load(url) url是https远程时，报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系。" "根据验证过程，远程证书无效。"
XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系." "根据验证过程, ...
iOS url带中文下载时报错解决方法
问题描述:下载文件时, 请求带中文的URL的资源时,比如:http://s237.sznews.com/pic/2010/11/23/e4fa5794926548ac953a8a525a23b6f2/ ...
django ajax报错解决：You called this URL via POST, but the URL doesn't end in a slash and you have APPEND_SLASH set.
Django版本号:1.11.15 django中ajax请求报错:You called this URL via POST, but the URL doesn't end in a slash a ...
iOS开发-url包括中文报错解决的方法
常常, 我们用通过这个方案调用API. NSString* urlString = [NSString stringWithFormat:@"http://api.douban.com/v2 ...
报错解决——uwsgi错误invalid request block size
uwsgi错误invalid request block size 使用uwsgi启动django代码,然后打开浏览器输入http://localhost:8000/admin.后台出现下面错误 in ...
Exception occurred while processing this request, check the log for more information!安装ActiveMq-5.14.1 配置安全验证报错解决
安装ActiveMq-5.14.1 并配置了安全验证成功后,客户端也连接成功了.服务端也能通过http://IP:8161登录到控制台. 但是在点击队列,想要查看队列视图时报错,如下图: 查看日志发 ...

随机推荐

v-model原理解析
vue中v-model可以实现数据的双向绑定,但是为什么这个指令就可以实现数据的双向绑定呢? 其实v-model是vue的一个语法糖.即利用v-model绑定数据后,既绑定了数据,又添加了一个inpu ...
java内存溢出定位
一.内存溢出问题分类瞬时流量过大造成的创建大量对象内存泄漏导致的内存溢出,一般就是程序编码的BUG引起的二.内存泄漏问题分析 step1: 收集内存泄漏的堆内存异常日志 > 添加HeapD ...
谷歌浏览器不兼容的一些Js
这篇博文主要记录本人在实际应用中碰到的谷歌浏览器与一些Js不兼容的问题,随着时间的推移,这篇博文的内容可能越来越多,也可能一点也没有(我想那时候谷歌肯定是相当牛逼的). 1.谷歌浏览器不兼容docum ...
6、Spring Boot 2.x 集成 MyBatis
1.6 Spring Boot 2.x 集成 MyBatis 简介详细介绍如何在Spring Boot中整合MyBatis,并通过注解方式实现映射. 完整源码: 1.6.1 创建 spring-bo ...
python通用分页功能
实现: class Page: def __init__(self,current_page,data_count,per_page_count=10,pager_num=10): self.curr ...
HTML的基础
HTML:超文本标记语言超文本包括:文字.图片.音频.视频.动画等流程:写好HTML代码后通过浏览器(自动编译HTML代码)展现出效果 HTM ...
036_监控 HTTP 服务器的状态(测试返回码)
#!/bin/bash #设置变量,url 为你需要检测的目标网站的网址(IP 或域名)url=http://192.168.4.5/index.html #定义函数 check_http:#使用 c ...
Python—“helloworld”
接触一门计算机新语言,第一件事就是要准备好一个编译器用来打代码. 网上很多环境搭建的方法,具体参照https://www.runoob.com/python/python-install.html 由 ...
c++ 容器切片反转次序（不拷贝到新容器）
// rotate algorithm example #include <iostream> // cout #include <algorithm> // rotate # ...
java试题复盘——11月25日
上: 11.下列表述错误的是?(D) A.int是基本类型,直接存数值,Integer是对象,用一个引用指向这个对象. B.在子类构造方法中使用super()显示调用父类的构造方法,super()必须 ...

The request was rejected because the URL contained a potentially malicious String ";"报错解决