ahdoawhfo/netdisk-fast-download
1
0
Fork 0
mirror of https://github.com/qaiu/netdisk-fast-download.git synced 2026-06-10 15:37:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: HttpProxyVerticle代理认证绕过漏洞

Browse Source 
SEC-01: 修复三个安全问题:
1. split.length<=1时直接放行请求,现在返回403
2. Base64解码无异常处理,现在捕获IllegalArgumentException返回403
3. 日志中明文记录密码,现在只记录用户名
This commit is contained in:
yukaidi
2026-05-29 01:39:31 +08:00
parent 66d7a62d3a
commit 9a3ea05023
1 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java
View File

@@ -129,16 +129,25 @@ public class HttpProxyVerticle extends AbstractVerticle {
clientRequest.response().setStatusCode(403).end();
return;
}
String[] split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
if (split.length > 1) {
// TODO
String username = proxyServerConf.getString("username");
String password = proxyServerConf.getString("password");
if (!split[0].equals(username) || !split[1].equals(password)) {
LOGGER.info("-----auth failed------\nusername: {}\npassword: {}", username, password);
clientRequest.response().setStatusCode(403).end();
return;
}
String[] split;
try {
split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
} catch (IllegalArgumentException e) {
LOGGER.warn("Proxy-Authorization header is not valid Base64");
clientRequest.response().setStatusCode(403).end();
return;
}
if (split.length <= 1) {
LOGGER.warn("Proxy-Authorization header format invalid: missing username:password separator");
clientRequest.response().setStatusCode(403).end();
return;
}
String username = proxyServerConf.getString("username");
String password = proxyServerConf.getString("password");
if (!split[0].equals(username) || !split[1].equals(password)) {
LOGGER.info("-----auth failed------\nusername: {}", split[0]);
clientRequest.response().setStatusCode(403).end();
return;
}
}