The request was rejected because the URL contained a potentially malicious String ";"报错解决
报错信息
浏览器中看到的报错
错误摘要:
The request was rejected because the URL contained a potentially malicious String ";"
从控制台看到的报错
2019-09-09 10:39:30,149 ERROR (DirectJDKLog.java:182)- Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception
org.springframework.security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:194)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:357)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:270)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:109)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:81)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:200)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:496)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
环境信息
***Springboot2.0 + Spring Security ***
代码追踪
我们可以找到org.springframework.security.web.firewall.StrictHttpFirewall
/**
* <p>
* Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
* is to disable this behavior because it is a common way of attempting to perform
* <a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File Download Attacks</a>.
* It is also the source of many exploits which bypass URL based security.
* </p>
* <p>For example, the following CVEs are a subset of the issues related
* to ambiguities in the Servlet Specification on how to treat semicolons that
* led to CVEs:
* </p>
* <ul>
* <li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
* <li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
* <li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
* </ul>
*
* <p>
* If you are wanting to allow semicolons, please reconsider as it is a very common
* source of security bypasses. A few common reasons users want semicolons and
* alternatives are listed below:
* </p>
* <ul>
* <li>Including the JSESSIONID in the path - You should not include session id (or
* any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
* </li>
* <li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
* using HTTP parameters instead.
* </li>
* </ul>
*
* @param allowSemicolon should semicolons be allowed in the URL. Default is false
*/
public void setAllowSemicolon(boolean allowSemicolon) {
if (allowSemicolon) {
urlBlacklistsRemoveAll(FORBIDDEN_SEMICOLON);
} else {
urlBlacklistsAddAll(FORBIDDEN_SEMICOLON);
}
}
这里提到了,如果您想要分号,请重新考虑,因为它是安全绕过的一个非常常见的来源。 下面列出了用户需要分号和替代品的一些常见原因:
在路径中包含JSESSIONID - 您不应在URL中包含会话ID(或任何敏感信息),因为它可能导致泄漏。 而是使用Cookies。
解决方案
@SpringBootApplication
public class Application {
public static void main(String[] args) {
SpringApplication.run(Application.class, args);
}
@Bean
public HttpFirewall allowUrlSemicolonHttpFirewall() {
StrictHttpFirewall firewall = new StrictHttpFirewall();
firewall.setAllowSemicolon(true);
return firewall;
}
}
放开了该安全限制,就不会遇到该报错了,不适合对于安全性要求非常高的应用。
The request was rejected because the URL contained a potentially malicious String ";"报错解决的更多相关文章
- security.web.firewall.RequestRejectedException: The request was rejected because the URL contained a potentially malicious String ";"
今天有个接口打算使用矩阵变量来绑定参数,即使用@MatrixVariable注解来接收参数 调用接口后项目报了如下错误 org.springframework.security.web.firewal ...
- SpringBoot整合升级Spring Security 报错 【The request was rejected because the URL was not normalized】
前言 最近LZ给项目框架升级, 从Spring1.x升级到Spring2.x, 在这里就不多赘述两个版本之间的区别以及升级的原因. 关于升级过程中踩的坑,在其他博文中会做比较详细的记录,以便给读者参考 ...
- spring boot The request was rejected because the URL was not normalized
升级spring boot 1.5.10.RELEASE 版本后,突然发现之前能Nginx代理能请求的地址抛如下异常: org.springframework.security.web.firewal ...
- XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系。" "根据验证过程,远程证书无效。"
XmlDocument.Load(url) url是https远程时,报错" 基础连接已经关闭: 未能为 SSL/TLS 安全通道建立信任关系." "根据验证过程, ...
- iOS url带中文下载时 报错解决方法
问题描述:下载文件时, 请求带中文的URL的资源时,比如:http://s237.sznews.com/pic/2010/11/23/e4fa5794926548ac953a8a525a23b6f2/ ...
- django ajax报错解决:You called this URL via POST, but the URL doesn't end in a slash and you have APPEND_SLASH set.
Django版本号:1.11.15 django中ajax请求报错:You called this URL via POST, but the URL doesn't end in a slash a ...
- iOS开发-url包括中文报错解决的方法
常常, 我们用通过这个方案调用API. NSString* urlString = [NSString stringWithFormat:@"http://api.douban.com/v2 ...
- 报错解决——uwsgi错误invalid request block size
uwsgi错误invalid request block size 使用uwsgi启动django代码,然后打开浏览器输入http://localhost:8000/admin.后台出现下面错误 in ...
- Exception occurred while processing this request, check the log for more information!安装ActiveMq-5.14.1 配置安全验证报错解决
安装ActiveMq-5.14.1 并配置了安全验证成功后,客户端也连接成功了.服务端也能通过http://IP:8161登录到控制台. 但是在点击队列,想要查看队列视图时报错,如下图: 查看日志发 ...
随机推荐
- halcon基础数据类型详解
#if defined(__CHAR_UNSIGNED__) || defined(__sgi) #define INT1 signed char /* integer, signed 1 Byte ...
- c语言1博客作业05
一.本周作业头 这个作业属于那个课程 C语言程序设计II 这个作业要求在哪里 https://edu.cnblogs.com/campus/zswxy/SE2019-3/homework/9831 我 ...
- Java8-Lambda-No.02
public class Lambda2 { @FunctionalInterface public static interface Converter<F, T> { T conver ...
- 006_linux驱动之_ioremap函数使用
(一)学习linux驱动之初,对ioremap函数的个人理解 (二)博客:实验探究 ioremap 这篇文章作者通过验证来阐述自己的观点,个人觉得挺好的 (三)函数原型 基本简介 void * __i ...
- E. The Contest ( 简单DP || 思维 + 贪心)
传送门 题意: 有 n 个数 (1 ~ n) 分给了三个人 a, b, c: 其中 a 有 k1 个, b 有 k2 个, c 有 k3 个. 现在问最少需要多少操作,使得 a 中所有数 是 1 ~ ...
- [Luogu] 遥远的国度
https://www.luogu.org/problemnew/show/P3979 3种情况 x=root,很显然此时应当查询整棵树 lca(root,x)!=x ,此时直接查询x的子树即可,与换 ...
- Java操作文件那点事
刚开始学Java时候,一直搞不懂Java里面的io关系,在网上找了很多大多都是给个结构图草草描述也看的不是很懂.而且没有结合到java7 的最新技术,所以自己结合API来整理一下,有错的话请指正,也希 ...
- JS对象-不可扩展对象、密封对象、冻结对象
不可扩展对象 Object.preventExtensions() 仅阻止添加自身的属性.但属性仍然可以添加到对象原型. 可以用 Object.isExtensible(obj) 来判断对象是否可扩展 ...
- win10 开启全局代理
1. 打开设置 2. 点击“网络和Internet” 3.设置手动代理 . 设置完成后就可以愉快的玩耍啦
- 菜单栏伸缩(附jquery-1.12.1.js)
Css: <style type="text/css"> .leftMenu { min-width:220px; width:268px; margin:40px a ...