【优化】修改密码交互优化，解决CSRF隐患。

4 months ago · 0885d7d8fe
parent b93b4ee5db
commit 0885d7d8fe
7 changed files with 33 additions and 11 deletions
--- a/doc/XXL-JOB官方文档.md
+++ b/doc/XXL-JOB官方文档.md
@ -2370,7 +2370,7 @@ public void execute() {
 - 1、【升级】多个项目依赖升级至较新稳定版本，涉及netty、groovy、gson、springboot、mybatis等；
 - 2、【修复】"CVE-2024-42681" 子任务越权漏洞修复；
 - 3、【优化】Cron解析组件优化代码优化。
- 3、[规划中]【优化】修改密码交互优化，提升系统安全；
+- 4、【优化】修改密码交互优化，解决CSRF隐患。



--- a/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java
+++ b/xxl-job-admin/src/main/java/com/xxl/job/admin/controller/UserController.java
@ -151,11 +151,14 @@ public class UserController {

    @RequestMapping("/updatePwd")
    @ResponseBody
-    public ReturnT<String> updatePwd(HttpServletRequest request, String password){
+    public ReturnT<String> updatePwd(HttpServletRequest request, String password, String oldPassword){

-        // valid password
+        // valid
+        if (oldPassword==null || oldPassword.trim().length()==0){
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_please_input") + I18nUtil.getString("change_pwd_field_oldpwd"));
+        }
        if (password==null || password.trim().length()==0){
-            return new ReturnT<String>(ReturnT.FAIL.getCode(), "密码不可为空");
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("system_please_input") + I18nUtil.getString("change_pwd_field_oldpwd"));
        }
        password = password.trim();
        if (!(password.length()>=4 && password.length()<=20)) {
@ -163,13 +166,17 @@ public class UserController {
        }

        // md5 password
+        String md5OldPassword = DigestUtils.md5DigestAsHex(oldPassword.getBytes());
        String md5Password = DigestUtils.md5DigestAsHex(password.getBytes());

-        // update pwd
+        // valid old pwd
        XxlJobUser loginUser = PermissionInterceptor.getLoginUser(request);
-
-        // do write
        XxlJobUser existUser = xxlJobUserDao.loadByUserName(loginUser.getUsername());
+        if (!md5OldPassword.equals(existUser.getPassword())) {
+            return new ReturnT<String>(ReturnT.FAIL.getCode(), I18nUtil.getString("change_pwd_field_oldpwd") + I18nUtil.getString("system_unvalid"));
+        }
+
+        // write new
        existUser.setPassword(md5Password);
        xxlJobUserDao.update(existUser);

--- a/xxl-job-admin/src/main/resources/i18n/message_en.properties
+++ b/xxl-job-admin/src/main/resources/i18n/message_en.properties
@ -91,6 +91,7 @@ logout_fail=Logout fail
 ## change pwd
 change_pwd=Change password
 change_pwd_suc_to_logout=Change password successful, about to log out login
+change_pwd_field_oldpwd=old password
 change_pwd_field_newpwd=new password

 ## dashboard
--- a/xxl-job-admin/src/main/resources/i18n/message_zh_CN.properties
+++ b/xxl-job-admin/src/main/resources/i18n/message_zh_CN.properties
@ -91,6 +91,7 @@ logout_fail=注销失败
 ## change pwd
 change_pwd=修改密码
 change_pwd_suc_to_logout=修改密码成功，即将注销登陆
+change_pwd_field_oldpwd=旧密码
 change_pwd_field_newpwd=新密码

 ## dashboard
--- a/xxl-job-admin/src/main/resources/i18n/message_zh_TC.properties
+++ b/xxl-job-admin/src/main/resources/i18n/message_zh_TC.properties
@ -91,6 +91,7 @@ logout_fail=登出失敗
 ## change pwd
 change_pwd=修改密碼
 change_pwd_suc_to_logout=修改密碼成功，即將登出
+change_pwd_field_oldpwd=舊密碼
 change_pwd_field_newpwd=新密碼

 ## dashboard
--- a/xxl-job-admin/src/main/resources/static/js/common.1.js
+++ b/xxl-job-admin/src/main/resources/static/js/common.1.js
@ -99,15 +99,23 @@ $(function(){
        errorClass : 'help-block',
        focusInvalid : true,
        rules : {
+            oldPassword : {
+                required : true ,
+                rangelength:[4,20]
+            },
            password : {
                required : true ,
-                rangelength:[4,50]
+                rangelength:[4,20]
            }
        },
        messages : {
+            oldPassword : {
+                required : I18n.system_please_input +I18n.change_pwd_field_oldpwd,
+                rangelength : "密码长度限制为4~20"
+            },
            password : {
-                required : '请输入密码'  ,
-                rangelength : "密码长度限制为4~50"
+                required : I18n.system_please_input +I18n.change_pwd_field_newpwd,
+                rangelength : "密码长度限制为4~20"
            }
        },
        highlight : function(element) {
--- a/xxl-job-admin/src/main/resources/templates/common/common.macro.ftl
+++ b/xxl-job-admin/src/main/resources/templates/common/common.macro.ftl
@ -107,9 +107,13 @@
 				</div>
 				<div class="modal-body">
 					<form class="form-horizontal form" role="form" >
+						<div class="form-group">
+							<label for="lastname" class="col-sm-2 control-label">${I18n.change_pwd_field_oldpwd}<font color="red">*</font></label>
+							<div class="col-sm-10"><input type="text" class="form-control" name="oldPassword" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_oldpwd}" maxlength="20" ></div>
+						</div>
 						<div class="form-group">
 							<label for="lastname" class="col-sm-2 control-label">${I18n.change_pwd_field_newpwd}<font color="red">*</font></label>
-							<div class="col-sm-10"><input type="text" class="form-control" name="password" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_newpwd}" maxlength="18" ></div>
+							<div class="col-sm-10"><input type="text" class="form-control" name="password" placeholder="${I18n.system_please_input} ${I18n.change_pwd_field_newpwd}" maxlength="20" ></div>
 						</div>
 						<hr>
 						<div class="form-group">