报错信息

浏览器中看到的报错

错误摘要:

The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)

	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)

	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)

	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)

	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.lang.Thread.run(Thread.java:748)

环境信息

***Springboot2.0 + Spring Security ***

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**

 * <p>

 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default

 * is to disable this behavior because it is a common way of attempting to perform

 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.

 * It is also the source of many exploits which bypass URL based security.

 * </p>

 * <p>For example, the following CVEs are a subset of the issues related

 * to ambiguities in the Servlet Specification on how to treat semicolons that

 * led to CVEs:

 * </p>

 * <ul>

 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>

 * </ul>

 *

 * <p>

 * If you are wanting to allow semicolons, please reconsider as it is a very common

 * source of security bypasses. A few common reasons users want semicolons and

 * alternatives are listed below:

 * </p>

 * <ul>

 * <li>Including the JSESSIONID in the path - You should not include session id (or

 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.

 * </li>

 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider

 * using HTTP parameters instead.

 * </li>

 * </ul>

 *

 * @param allowSemicolon should semicolons be allowed in the URL. Default is false

 */

public void setAllowSemicolon(boolean allowSemicolon) {

	if (allowSemicolon) {

		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);

	} else {

		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);

	}

}

这里提到了,如果您想要分号,请重新考虑,因为它是安全绕过的一个非常常见的来源。 下面列出了用户需要分号和替代品的一些常见原因:

在路径中包含JSESSIONID - 您不应在URL中包含会话ID(或任何敏感信息),因为它可能导致泄漏。 而是使用Cookies。

解决方案

@SpringBootApplication

public class Application {

    public static void main(String[] args) {

        SpringApplication.run(Application.class, args);

    }

    @Bean

    public HttpFirewall allowUrlSemicolonHttpFirewall() {

        StrictHttpFirewall firewall = new StrictHttpFirewall();

        firewall.setAllowSemicolon(true);

        return firewall;

    }

}

放开了该安全限制,就不会遇到该报错了,不适合对于安全性要求非常高的应用。

The request was rejected because the URL contained a potentially malicious String ";"报错解决的更多相关文章

  1. security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

    今天有个接口打算使用矩阵变量来绑定参数,即使用@MatrixVariable注解来接收参数 调用接口后项目报了如下错误 org.springframework.security.web.firewal ...

  2. SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】

    前言 最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因. 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考 ...

  3. spring boot The request was rejected because the URL was not normalized

    升级spring boot 1.5.10.RELEASE 版本后,突然发现之前能Nginx代理能请求的地址抛如下异常: org.springframework.security.web.firewal ...

  4. XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系。" "根据验证过程,远程证书无效。"

    XmlDocument.Load(url)  url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系."   "根据验证过程, ...

  5. iOS url带中文下载时 报错解决方法

    问题描述:下载文件时, 请求带中文的URL的资源时,比如:http://s237.sznews.com/pic/2010/11/23/e4fa5794926548ac953a8a525a23b6f2/ ...

  6. django ajax报错解决:You called this URL via POST, but the URL doesn't end in a slash and you have APPEND_SLASH set.

    Django版本号:1.11.15 django中ajax请求报错:You called this URL via POST, but the URL doesn't end in a slash a ...

  7. iOS开发-url包括中文报错解决的方法

    常常, 我们用通过这个方案调用API. NSString* urlString = [NSString stringWithFormat:@"http://api.douban.com/v2 ...

  8. 报错解决——uwsgi错误invalid request block size

    uwsgi错误invalid request block size 使用uwsgi启动django代码,然后打开浏览器输入http://localhost:8000/admin.后台出现下面错误 in ...

  9. Exception occurred while processing this request, check the log for more information!安装ActiveMq-5.14.1 配置安全验证报错解决

    安装ActiveMq-5.14.1  并配置了安全验证成功后,客户端也连接成功了.服务端也能通过http://IP:8161登录到控制台. 但是在点击队列,想要查看队列视图时报错,如下图: 查看日志发 ...

随机推荐

  1. Activiti服务类- RepositoryService服务类

    Activity服务类-1 RepositoryService服务类一共47个接口1.创建部署//开始创建一个新的部署.DeploymentBuilder createDeployment(); 2. ...

  2. 一些有用的dll

    1.生成excel工具- EPPlus EPPlus.dll 2.生成word工具 - OpenXml DocumentFormat.OpenXml.dll 3.生成条形码工具 -  ZXing zx ...

  3. 2018年 第43届ACM-ICPC亚洲区域赛(青岛)现场赛 赛后总结

    下了动车后,又颠颠簸簸的在公交车上过了接近一个小时,本来就晕车,于是,到的时候脑子晕死了,而且想吐.可能是没吃早饭的缘故,午饭好好次QWQ. 开幕式 还是第一次在这种环境下参赛,记得以前是看老师发的学 ...

  4. 7月清北学堂培训 Day 2

    今天是林永迪老师的讲授~ 继续昨日的贪心内容. 我们继续看例题: 分析样例的过河方法: 首先1和2先过河,总时间为2: 然后1回来,总时间为3: 然后5和10过河,总时间为13: 然后2回来,总时间为 ...

  5. 动态规划——区间DP,计数类DP,数位统计DP

    本博客部分内容参考:<算法竞赛进阶指南> 一.区间DP 划重点: 以前所学过的线性DP一般从初始状态开始,沿着阶段的扩张向某个方向递推,直至计算出目标状态. 区间DP也属于线性DP的一种, ...

  6. Linux快速编译

    #include<bits/stdc++.h> using namespace std; string name, tmp, s; int main() { cin >> tm ...

  7. 使用 pip wheel 实现 Python 依赖包的离线安装

    pip python 依赖 安装 有时候, 需要部署 Python 应用的服务器没有网络连接, 这时候, 你就要把整个 Python 应用做成离线安装包. 借助 wheel, 很容易就可以实现. 首先 ...

  8. 2.4 Go语言基础之切片

    本文主要介绍Go语言中切片(slice)及它的基本使用. 一.引子 因为数组的长度是固定的并且数组长度属于类型的一部分,所以数组有很多的局限性. 例如: func arraySum(x [3]int) ...

  9. kotlin中接口

    使用interface关键字声明,一个类可以多实现,实现方法与类继承相同 接口中的属性和方法都是open的 package loaderman.demo interface myInterface{ ...

  10. XM概述

    概述: Extensible Markup Language: 可扩展的标记语言 特点: 语法很严格 标签自定义 作用: * 存储数据 * 做配置文件 * 用于进行数据传输 文档声明: 标示这个文档是 ...