Commit a65eab89 authored by 王炜's avatar 王炜

修改权限通用查询过滤sql注入问题,导致动态页面无法保存,追加jsonArray判断

parent 88c67ef1
...@@ -12,6 +12,7 @@ import leaf.events.E_ServiceFinish; ...@@ -12,6 +12,7 @@ import leaf.events.E_ServiceFinish;
import leaf.service.*; import leaf.service.*;
import leaf.transaction.ITransactionService; import leaf.transaction.ITransactionService;
import leaf.transaction.UserTransactionImpl; import leaf.transaction.UserTransactionImpl;
import org.json.JSONArray;
import org.json.JSONObject; import org.json.JSONObject;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository; import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
...@@ -116,6 +117,7 @@ public abstract class AbstractFacadeServlet extends HttpServlet { ...@@ -116,6 +117,7 @@ public abstract class AbstractFacadeServlet extends HttpServlet {
if(it.getKey().equals("_request_data")&&!it.getValue()[0].isEmpty()){ if(it.getKey().equals("_request_data")&&!it.getValue()[0].isEmpty()){
JSONObject requestData = new JSONObject(it.getValue()[0]); JSONObject requestData = new JSONObject(it.getValue()[0]);
if(requestData.has("parameter")){ if(requestData.has("parameter")){
if(!(requestData.get("parameter") instanceof JSONArray)){
JSONObject paraOject=requestData.getJSONObject("parameter"); JSONObject paraOject=requestData.getJSONObject("parameter");
if (paraOject.has("trx_id")){ if (paraOject.has("trx_id")){
String trx_id=paraOject.get("trx_id").toString().toLowerCase(); String trx_id=paraOject.get("trx_id").toString().toLowerCase();
...@@ -133,6 +135,8 @@ public abstract class AbstractFacadeServlet extends HttpServlet { ...@@ -133,6 +135,8 @@ public abstract class AbstractFacadeServlet extends HttpServlet {
} }
} }
}
} }
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment