当前位置: 首页> 教育> 就业 > 修复www服务trace漏洞

修复www服务trace漏洞

时间:2025/7/11 0:36:43来源:https://blog.csdn.net/weixin_44144092/article/details/139523285 浏览次数:0次

验证方式:curl -v -X TRACE ip:port,或使用其他接口调试工具如Postman
响应:状态行405 Method Not Allowed且响应体无内容

方案一:使用过滤器

若webserver是tomcat, 添加过滤器的方式有很多

@Component
public class TraceHttpMethodFilter extends OncePerRequestFilter {@Overrideprotected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {if (HttpMethod.TRACE.matches(request.getMethod())) {response.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());return;}filterChain.doFilter(request, response);}
}

若是springcloud gateway,其使用Netty作为webserver

@Component
public class GatewayTraceHttpMethodFilter implements WebFilter, Ordered {@Overridepublic int getOrder() {return HIGHEST_PRECEDENCE;}@Overridepublic Mono<Void> filter(ServerWebExchange exchange, WebFilterChain chain) {if (HttpMethod.TRACE == exchange.getRequest().getMethod()) {var response = exchange.getResponse();response.setStatusCode(HttpStatus.METHOD_NOT_ALLOWED);return response.setComplete();}return chain.filter(exchange);}
}

方案二:自定义WebServerFactory配置

若WebServer是Undertow

@Configuration
public class UndertowWebServerFactoryConfig implements WebServerFactoryCustomizer<UndertowServletWebServerFactory> {@Overridepublic void customize(UndertowServletWebServerFactory factory) {factory.addDeploymentInfoCustomizers(deploymentInfo -> {deploymentInfo.addInitialHandlerChainWrapper(httpHandler -> {HttpString[] disAllowedHttpMethods = {HttpString.tryFromString(HttpMethod.TRACE.name())};return new DisallowedMethodsHandler(httpHandler, disAllowedHttpMethods);});});}
}
关键字:修复www服务trace漏洞

版权声明:

本网仅为发布的内容提供存储空间,不对发表、转载的内容提供任何形式的保证。凡本网注明“来源:XXX网络”的作品,均转载自其它媒体,著作权归作者所有,商业转载请联系作者获得授权,非商业转载请注明出处。

我们尊重并感谢每一位作者,均已注明文章来源和作者。如因作品内容、版权或其它问题,请及时与我们联系,联系邮箱:809451989@qq.com,投稿邮箱:809451989@qq.com

责任编辑: