Open
Description
HDIV uses org.hdiv.filter.ValidatorFilter to handle url access control. And the class extends org.springframework.web.filter.OncePerRequestFilter, which aims to guarantee a single execution per request dispatch. So if a request is forwarded or included, this filter will NOT do filter, which may lead to access control bypass.
Assume we have the hdiv config below (in hdiv-config.xml). Note that it means to block all request url excluding / or /forward
<hdiv:config excludedExtensions="css,png">
<hdiv:startPages method="get">/</hdiv:startPages>
<hdiv:startPages method="get">/forward</hdiv:startPages>
<hdiv:
6472
startParameters>_method</hdiv:startParameters>
</hdiv:config>and the controller
package org.springframework.samples.petclinic.web;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
@Controller
public class ForwardContrller {
@RequestMapping(method = RequestMethod.GET,value="/secret")
@ResponseBody
public String secret(){
return "this is my secret";
}
@RequestMapping(method = RequestMethod.GET,value="/forward")
public String forward(){
return "forward:/secret";
}
}Now visit /secret, and we see that it's unauthorized.
visit /forward , it's redirected to the unauthorized page.
Metadata
Metadata
Assignees
Labels
No labels