manager/my-worker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修正登录页记住账号在DES加密的情况下,会有XSS漏洞。

Browse Source
This commit is contained in:
thinkgem
2018-08-09 21:04:26 +08:00
parent 45a09933b0
commit 19ba6daea7
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
modules/core/src/main/java/com/jeesite/common/shiro/filter/FormAuthenticationFilter.java
View File

@@ -23,6 +23,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import com.jeesite.common.codec.DesUtils; import com.jeesite.common.codec.DesUtils;
import com.jeesite.common.codec.EncodeUtils;
import com.jeesite.common.config.Global; import com.jeesite.common.config.Global;
import com.jeesite.common.lang.ObjectUtils; import com.jeesite.common.lang.ObjectUtils;
import com.jeesite.common.lang.StringUtils; import com.jeesite.common.lang.StringUtils;
@@ -94,7 +95,7 @@ public class FormAuthenticationFilter extends org.apache.shiro.web.filter.authc.
} }
// 登录成功后,判断是否需要记住用户名 // 登录成功后,判断是否需要记住用户名
if (WebUtils.isTrue(request, DEFAULT_REMEMBER_USERCODE_PARAM)) { if (WebUtils.isTrue(request, DEFAULT_REMEMBER_USERCODE_PARAM)) {
rememberUserCodeCookie.setValue(username); rememberUserCodeCookie.setValue(EncodeUtils.xssFilter(username));
rememberUserCodeCookie.saveTo((HttpServletRequest)request, (HttpServletResponse)response); rememberUserCodeCookie.saveTo((HttpServletRequest)request, (HttpServletResponse)response);
} else { } else {
rememberUserCodeCookie.removeFrom((HttpServletRequest)request, (HttpServletResponse)response); rememberUserCodeCookie.removeFrom((HttpServletRequest)request, (HttpServletResponse)response);