mirror of
https://github.com/qaiu/netdisk-fast-download.git
synced 2026-06-10 15:37:28 +00:00
fix: HttpProxyVerticle代理认证绕过漏洞
SEC-01: 修复三个安全问题: 1. split.length<=1时直接放行请求,现在返回403 2. Base64解码无异常处理,现在捕获IllegalArgumentException返回403 3. 日志中明文记录密码,现在只记录用户名
This commit is contained in:
yukaidi
@@ -129,16 +129,25 @@ public class HttpProxyVerticle extends AbstractVerticle {
|
|||||||
clientRequest.response().setStatusCode(403).end();
|
clientRequest.response().setStatusCode(403).end();
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
String[] split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
|
String[] split;
|
||||||
if (split.length > 1) {
|
try {
|
||||||
// TODO
|
split = new String(Base64.getDecoder().decode(s.replace("Basic ", ""))).split(":");
|
||||||
String username = proxyServerConf.getString("username");
|
} catch (IllegalArgumentException e) {
|
||||||
String password = proxyServerConf.getString("password");
|
LOGGER.warn("Proxy-Authorization header is not valid Base64");
|
||||||
if (!split[0].equals(username) || !split[1].equals(password)) {
|
clientRequest.response().setStatusCode(403).end();
|
||||||
LOGGER.info("-----auth failed------\nusername: {}\npassword: {}", username, password);
|
return;
|
||||||
clientRequest.response().setStatusCode(403).end();
|
}
|
||||||
return;
|
if (split.length <= 1) {
|
||||||
}
|
LOGGER.warn("Proxy-Authorization header format invalid: missing username:password separator");
|
||||||
|
clientRequest.response().setStatusCode(403).end();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
String username = proxyServerConf.getString("username");
|
||||||
|
String password = proxyServerConf.getString("password");
|
||||||
|
if (!split[0].equals(username) || !split[1].equals(password)) {
|
||||||
|
LOGGER.info("-----auth failed------\nusername: {}", split[0]);
|
||||||
|
clientRequest.response().setStatusCode(403).end();
|
||||||
|
return;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user