报错信息

浏览器中看到的报错

错误摘要:

The request was rejected because the URL contained a potentially malicious String ";"

从控制台看到的报错

2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception

org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)

	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)

	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)

	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)

	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)

	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)

	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)

	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)

	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)

	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)

	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)

	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)

	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)

	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)

	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)

	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)

	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)

	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)

	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)

	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

	at java.lang.Thread.run(Thread.java:748)

环境信息

***Springboot2.0 + Spring Security ***

代码追踪

我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall

/**

 * <p>

 * Determines if semicolon is allowed in the URL (i.e. matrix variables). The default

 * is to disable this behavior because it is a common way of attempting to perform

 * <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.

 * It is also the source of many exploits which bypass URL based security.

 * </p>

 * <p>For example, the following CVEs are a subset of the issues related

 * to ambiguities in the Servlet Specification on how to treat semicolons that

 * led to CVEs:

 * </p>

 * <ul>

 *     <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>

 *     <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>

 * </ul>

 *

 * <p>

 * If you are wanting to allow semicolons, please reconsider as it is a very common

 * source of security bypasses. A few common reasons users want semicolons and

 * alternatives are listed below:

 * </p>

 * <ul>

 * <li>Including the JSESSIONID in the path - You should not include session id (or

 * any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.

 * </li>

 * <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider

 * using HTTP parameters instead.

 * </li>

 * </ul>

 *

 * @param allowSemicolon should semicolons be allowed in the URL. Default is false

 */

public void setAllowSemicolon(boolean allowSemicolon) {

	if (allowSemicolon) {

		urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);

	} else {

		urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);

	}

}

这里提到了,如果您想要分号,请重新考虑,因为它是安全绕过的一个非常常见的来源。 下面列出了用户需要分号和替代品的一些常见原因:

在路径中包含JSESSIONID - 您不应在URL中包含会话ID(或任何敏感信息),因为它可能导致泄漏。 而是使用Cookies。

解决方案

@SpringBootApplication

public class Application {

    public static void main(String[] args) {

        SpringApplication.run(Application.class, args);

    }

    @Bean

    public HttpFirewall allowUrlSemicolonHttpFirewall() {

        StrictHttpFirewall firewall = new StrictHttpFirewall();

        firewall.setAllowSemicolon(true);

        return firewall;

    }

}

放开了该安全限制,就不会遇到该报错了,不适合对于安全性要求非常高的应用。

The request was rejected because the URL contained a potentially malicious String ";"报错解决的更多相关文章

  1. security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"

    今天有个接口打算使用矩阵变量来绑定参数,即使用@MatrixVariable注解来接收参数 调用接口后项目报了如下错误 org.springframework.security.web.firewal ...

  2. SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】

    前言 最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因. 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考 ...

  3. spring boot The request was rejected because the URL was not normalized

    升级spring boot 1.5.10.RELEASE 版本后,突然发现之前能Nginx代理能请求的地址抛如下异常: org.springframework.security.web.firewal ...

  4. XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系。" "根据验证过程,远程证书无效。"

    XmlDocument.Load(url)  url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系."   "根据验证过程, ...

  5. iOS url带中文下载时 报错解决方法

    问题描述:下载文件时, 请求带中文的URL的资源时,比如:http://s237.sznews.com/pic/2010/11/23/e4fa5794926548ac953a8a525a23b6f2/ ...

  6. django ajax报错解决:You called this URL via POST, but the URL doesn't end in a slash and you have APPEND_SLASH set.

    Django版本号:1.11.15 django中ajax请求报错:You called this URL via POST, but the URL doesn't end in a slash a ...

  7. iOS开发-url包括中文报错解决的方法

    常常, 我们用通过这个方案调用API. NSString* urlString = [NSString stringWithFormat:@"http://api.douban.com/v2 ...

  8. 报错解决——uwsgi错误invalid request block size

    uwsgi错误invalid request block size 使用uwsgi启动django代码,然后打开浏览器输入http://localhost:8000/admin.后台出现下面错误 in ...

  9. Exception occurred while processing this request, check the log for more information!安装ActiveMq-5.14.1 配置安全验证报错解决

    安装ActiveMq-5.14.1  并配置了安全验证成功后,客户端也连接成功了.服务端也能通过http://IP:8161登录到控制台. 但是在点击队列,想要查看队列视图时报错,如下图: 查看日志发 ...

随机推荐

  1. oracle 给表字段把VARCHAR2 换成 CLOB

    select * from TableName -- 添加一个字段 alter table TableName add 字段2 clob; --复制数据到此字段update TableName set ...

  2. sql prompt工具

    SQL Prompt是一款拥有SQL智能提示功能和格式化Sql代码插件.可用于的SQL Server和VS. SQL Prompt能根据数据库的对象名称,语法和用户编写的代码片段自动进行检索,智能的为 ...

  3. 从 ES6 到 ES10 的新特性万字大总结

    以下文章来源于鱼头的Web海洋 ,作者陈大鱼头   鱼头的Web海洋 一个名为Web的海洋世界 (给前端大全加星标,提升前端技能) 作者:鱼头的Web海洋 公号 / 陈大鱼头 (本文来自作者投稿) 介 ...

  4. Codeforces Round #592 (Div. 2)【C题】{补题ING}

    思路:x,y,z肯定不为负数xw+dy=p,直接枚举系数较小的y即可,y的范围:y<w,因为大于w的时候,不如去增加x,这样x+y的和还能保持尽可能小. /* x*w+y*d=p; x*w+(K ...

  5. Activiti服务类- RuntimeService服务类

    一共89个接口1.启动流程实例(20个方法)//使用给定的键在流程定义的最新版本中启动一个新的流程实例.ProcessInstance startProcessInstanceByKey(String ...

  6. 洛谷 P3382 【模板】三分法(三分 二分)

    P3382 [模板]三分法 题目提供者HansBug 难度 普及/提高- 题目描述 如题,给出一个N次函数,保证在范围[l,r]内存在一点x,使得[l,x]上单调增,[x,r]上单调减.试求出x的值. ...

  7. 8月清北学堂培训 Day2

    今天是赵和旭老师的讲授~ 背包 dp 模型 背包 dp 一般是给出一些“物品”,每个物品具有一些价值参数和花费参数,要求 在满足花费限制下最大化价值或者方案数. 最简单几种类型以及模型: 0/1背包: ...

  8. 【locust】使用locust + boomer实现对接口的压测

    背景 很早之前,考虑单机执行能力,使用locust做过公司短信网关的压测工作,后来发现了一个golang版本的locust,性能是python版本的5到10倍以上,但是一直没有机会使用. 最近公司想做 ...

  9. k8s Ipvs 内部网络自动分配和内部网络一致ip地址,导致ip冲突

    [链接]Linux负载均衡--LVS(IPVS)https://www.jianshu.com/p/36880b085265 [链接]kube-proxyipvsmodecreateunnecessa ...

  10. Javascript中数组查重的方法总结大全

    数组查重:简单点说,就是找出数组中重复的元素然后去除,最后得到一个没有重复元素的数组. // 方法一思路:     1.构建一个新的数组,用于存放结果.       2.for循环中每次从数组取出一个 ...