From daa19c59ce49f3db5a64aeb4b16e8e89130e3fcc Mon Sep 17 00:00:00 2001 From: thinkgem Date: Wed, 17 Jun 2020 14:16:29 +0800 Subject: [PATCH] =?UTF-8?q?=E5=88=86=E9=A1=B5=E6=8E=92=E5=BA=8F=E6=BC=8F?= =?UTF-8?q?=E6=B4=9E=E4=BF=AE=E8=A1=A5=EF=BC=8CCNVD-C-2020-126476?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../src/main/java/com/jeesite/common/codec/EncodeUtils.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java index 69dfb93f..7122b698 100644 --- a/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java +++ b/common/src/main/java/com/jeesite/common/codec/EncodeUtils.java @@ -261,7 +261,10 @@ public class EncodeUtils { } // 预编译SQL过滤正则表达式 - private static Pattern sqlPattern = Pattern.compile("(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|case when)\\b)", Pattern.CASE_INSENSITIVE); + private static Pattern sqlPattern = Pattern.compile( + "(?:')|(?:--)|(/\\*(?:.|[\\n\\r])*?\\*/)|((extractvalue|updatexml)([\\s]*?)\\()|" + + "(\\b(select|update|and|or|delete|insert|trancate|char|into|substr|ascii|declare|exec|count|master|into|drop|execute|case when)\\b)", + Pattern.CASE_INSENSITIVE); /** * SQL过滤,防止注入,传入参数输入有select相关代码,替换空。