报错信息

浏览器中看到的报错

错误摘要:

The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)

	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)

	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)

	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)

	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.lang.Thread.run(Thread.java:748)

环境信息

***Springboot2.0 + Spring Security ***

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**

 * <p>

 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default

 * is to disable this behavior because it is a common way of attempting to perform

 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.

 * It is also the source of many exploits which bypass URL based security.

 * </p>

 * <p>For example, the following CVEs are a subset of the issues related

 * to ambiguities in the Servlet Specification on how to treat semicolons that

 * led to CVEs:

 * </p>

 * <ul>

 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>

 * </ul>

 *

 * <p>

 * If you are wanting to allow semicolons, please reconsider as it is a very common

 * source of security bypasses. A few common reasons users want semicolons and

 * alternatives are listed below:

 * </p>

 * <ul>

 * <li>Including the JSESSIONID in the path - You should not include session id (or

 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.

 * </li>

 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider

 * using HTTP parameters instead.

 * </li>

 * </ul>

 *

 * @param allowSemicolon should semicolons be allowed in the URL. Default is false

 */

public void setAllowSemicolon(boolean allowSemicolon) {

	if (allowSemicolon) {

		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);

	} else {

		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);

	}

}

这里提到了,如果您想要分号,请重新考虑,因为它是安全绕过的一个非常常见的来源。 下面列出了用户需要分号和替代品的一些常见原因:

在路径中包含JSESSIONID - 您不应在URL中包含会话ID(或任何敏感信息),因为它可能导致泄漏。 而是使用Cookies。

解决方案

@SpringBootApplication

public class Application {

    public static void main(String[] args) {

        SpringApplication.run(Application.class, args);

    }

    @Bean

    public HttpFirewall allowUrlSemicolonHttpFirewall() {

        StrictHttpFirewall firewall = new StrictHttpFirewall();

        firewall.setAllowSemicolon(true);

        return firewall;

    }

}

放开了该安全限制,就不会遇到该报错了,不适合对于安全性要求非常高的应用。

The request was rejected because the URL contained a potentially malicious String ";"报错解决的更多相关文章

  1. security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

    今天有个接口打算使用矩阵变量来绑定参数,即使用@MatrixVariable注解来接收参数 调用接口后项目报了如下错误 org.springframework.security.web.firewal ...

  2. SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】

    前言 最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因. 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考 ...

  3. spring boot The request was rejected because the URL was not normalized

    升级spring boot 1.5.10.RELEASE 版本后,突然发现之前能Nginx代理能请求的地址抛如下异常: org.springframework.security.web.firewal ...

  4. XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系。" "根据验证过程,远程证书无效。"

    XmlDocument.Load(url)  url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系."   "根据验证过程, ...

  5. iOS url带中文下载时 报错解决方法

    问题描述:下载文件时, 请求带中文的URL的资源时,比如:http://s237.sznews.com/pic/2010/11/23/e4fa5794926548ac953a8a525a23b6f2/ ...

  6. django ajax报错解决:You called this URL via POST, but the URL doesn't end in a slash and you have APPEND_SLASH set.

    Django版本号:1.11.15 django中ajax请求报错:You called this URL via POST, but the URL doesn't end in a slash a ...

  7. iOS开发-url包括中文报错解决的方法

    常常, 我们用通过这个方案调用API. NSString* urlString = [NSString stringWithFormat:@"http://api.douban.com/v2 ...

  8. 报错解决——uwsgi错误invalid request block size

    uwsgi错误invalid request block size 使用uwsgi启动django代码,然后打开浏览器输入http://localhost:8000/admin.后台出现下面错误 in ...

  9. Exception occurred while processing this request, check the log for more information!安装ActiveMq-5.14.1 配置安全验证报错解决

    安装ActiveMq-5.14.1  并配置了安全验证成功后,客户端也连接成功了.服务端也能通过http://IP:8161登录到控制台. 但是在点击队列,想要查看队列视图时报错,如下图: 查看日志发 ...

随机推荐

  1. 2019HDU多校Minimal Power of Prime——分段讨论&&思维

    题目 将 $n$($1 < n \leq 10^{18}$)质因数分解,求质因数幂的最小值. 分析 直接质因数分解,不太行. 可以这样想,对小区间质因数分解,n变小了,再枚举答案. 打印1-10 ...

  2. ACM-ICPC 2018 青岛赛区现场赛 D. Magic Multiplication && ZOJ 4061 (思维+构造)

    题目链接:http://acm.zju.edu.cn/onlinejudge/showProblem.do?problemCode=4061 题意:定义一个长度为 n 的序列 a1,a2,..,an ...

  3. xunit输出

    //输出,只能注入 public class MyUnitTest { private IServiceCollection service; private readonly ITestOutput ...

  4. 049_指定目录路径,脚本自动将该目录使用 tar 命令打包备份到/data 目录

    #!/bin/bash[ ! -d /data ] && mkdir /data  #确保有此目录[ -z $1 ] && exit   #为空不需要打包if [ -d ...

  5. luogu 2943 [USACO09MAR]清理Cleaning Up 动态规划

    非常巧妙的动态规划. 你会发现每一个区间地颜色种类不能超过 $\sqrt n$, 所以可以直接枚举区间颜色种类. 令这个为 $pos[j],$ 然后考虑如何去更新这个东西就行了. Code: #inc ...

  6. CF915E 动态开线段树

    CF915E 动态开线段树 题面 因为\(n\le10^9\),所以动态开点,线段树维护\([1,n]\)天非工作日数量. 之前的结构体写法被卡了,只能改成函数传l,r(虽然也不难) 动态开点好写,但 ...

  7. 修改quartus 配置rom时memory很小的问题。

    我用的是quartus ii 13版本的仿真软件,在做VGA实验时显示用到640*480的图片所以就需要307200*1bit的rom.但是坑爹的megawizard- plug-in-manager ...

  8. 提交项目到Github

    create a new repository on the command line git init git add README.md git commit -m "first com ...

  9. java试题复盘——11月13日

    上: 10. AccessViolationException异常触发后,下列程序的输出结果为(   A   ) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 AccessViol ...

  10. 全局安装webpack和本地安装

    前提条件 在开始之前,请确保安装了 Node.js 的最新版本.使用 Node.js 最新的长期支持版本(LTS - Long Term Support),是理想的起步.使用旧版本,你可能遇到各种问题 ...