You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/09/22 02:00:37 UTC

[GitHub] [servicecomb-java-chassis] nonehat commented on issue #2591: serviceComb里没有API获取归一化之后的URL/URI，容易导致安全漏洞

nonehat commented on issue #2591:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2591#issuecomment-924520032


   String uri = io.vertx.core.http.HttpServerRequest.path() ;
   然后依赖uri做访问控制，比如针对特定的uri需要检查是否为admin访问：
   if (uri.equals("/api/v2/admin/only")) {
       // 检查请求的cookie对应是否为admin
      // 若是，则放行；否则，拒绝。
   }
   
   这种case，将请求uri修改为 /api/v2/admin/////////only 就可以bypass这个检查，同时可以正常dispatch到handler。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org