HTTP TRACE&TRACK漏洞修复

11 months ago · 2102c9e7a5
parent e5d26ba277
commit 2102c9e7a5
2 changed files with 69 additions and 51 deletions
--- a/xxl-job-core/src/main/java/com/xxl/job/core/biz/model/ReturnT.java
+++ b/xxl-job-core/src/main/java/com/xxl/job/core/biz/model/ReturnT.java
@ -4,54 +4,64 @@ import java.io.Serializable;

 /**
 * common return
- * @author xuxueli 2015-12-4 16:32:31
+ *
 * @param <T>
+ * @author xuxueli 2015-12-4 16:32:31
 */
 public class ReturnT<T> implements Serializable {
-	public static final long serialVersionUID = 42L;
-
-	public static final int SUCCESS_CODE = 200;
-	public static final int FAIL_CODE = 500;
-
-	public static final ReturnT<String> SUCCESS = new ReturnT<String>(null);
-	public static final ReturnT<String> FAIL = new ReturnT<String>(FAIL_CODE, null);
-
-	private int code;
-	private String msg;
-	private T content;
-
-	public ReturnT(){}
-	public ReturnT(int code, String msg) {
-		this.code = code;
-		this.msg = msg;
-	}
-	public ReturnT(T content) {
-		this.code = SUCCESS_CODE;
-		this.content = content;
-	}
-	
-	public int getCode() {
-		return code;
-	}
-	public void setCode(int code) {
-		this.code = code;
-	}
-	public String getMsg() {
-		return msg;
-	}
-	public void setMsg(String msg) {
-		this.msg = msg;
-	}
-	public T getContent() {
-		return content;
-	}
-	public void setContent(T content) {
-		this.content = content;
-	}
-
-	@Override
-	public String toString() {
-		return "ReturnT [code=" + code + ", msg=" + msg + ", content=" + content + "]";
-	}
+    public static final long serialVersionUID = 42L;
+
+    public static final int SUCCESS_CODE = 200;
+    public static final int FAIL_CODE = 500;
+    public static final int METHOD_NOT_ALLOWED = 405;
+
+    public static final ReturnT<String> SUCCESS = new ReturnT<String>(null);
+    public static final ReturnT<String> FAIL = new ReturnT<String>(FAIL_CODE, null);
+
+    private int code;
+    private String msg;
+    private T content;
+
+    public ReturnT() {
+    }
+
+    public ReturnT(int code, String msg) {
+        this.code = code;
+        this.msg = msg;
+    }
+
+    public ReturnT(T content) {
+        this.code = SUCCESS_CODE;
+        this.content = content;
+    }
+
+    public int getCode() {
+        return code;
+    }
+
+    public void setCode(int code) {
+        this.code = code;
+    }
+
+    public String getMsg() {
+        return msg;
+    }
+
+    public void setMsg(String msg) {
+        this.msg = msg;
+    }
+
+    public T getContent() {
+        return content;
+    }
+
+    public void setContent(T content) {
+        this.content = content;
+    }
+
+    @Override
+    public String toString() {
+        return "ReturnT [code=" + code + ", msg=" + msg + ", content=" + content + "]";
+    }

 }
--- a/xxl-job-core/src/main/java/com/xxl/job/core/server/EmbedServer.java
+++ b/xxl-job-core/src/main/java/com/xxl/job/core/server/EmbedServer.java
@ -156,16 +156,24 @@ public class EmbedServer {
                public void run() {
                    // do invoke
                    Object responseObj = process(httpMethod, uri, requestData, accessTokenReq);
-
+                    HttpResponseStatus status = resolveHttpStatus(responseObj);
                    // to json
                    String responseJson = GsonTool.toJson(responseObj);
-
                    // write response
-                    writeResponse(ctx, keepAlive, responseJson);
+                    writeResponse(ctx, keepAlive, status, responseJson);
                }
            });
        }

+        private HttpResponseStatus resolveHttpStatus(Object responseObj) {
+            if (responseObj instanceof ReturnT) {
+                ReturnT returnT = (ReturnT) responseObj;
+                return returnT.getCode() == ReturnT.METHOD_NOT_ALLOWED ? HttpResponseStatus.METHOD_NOT_ALLOWED : HttpResponseStatus.OK;
+            } else {
+                return HttpResponseStatus.OK;
+            }
+        }
+
        private Object process(HttpMethod httpMethod, String uri, String requestData, String accessTokenReq) {
            // valid
            if (HttpMethod.POST != httpMethod) {
@ -209,9 +217,9 @@ public class EmbedServer {
        /**
         * write response
         */
-        private void writeResponse(ChannelHandlerContext ctx, boolean keepAlive, String responseJson) {
+        private void writeResponse(ChannelHandlerContext ctx, boolean keepAlive, HttpResponseStatus status, String responseJson) {
            // write response
-            FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(responseJson, CharsetUtil.UTF_8));   //  Unpooled.wrappedBuffer(responseJson)
+            FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, status, Unpooled.copiedBuffer(responseJson, CharsetUtil.UTF_8));   //  Unpooled.wrappedBuffer(responseJson)
            response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html;charset=UTF-8");       // HttpHeaderValues.TEXT_PLAIN.toString()
            response.headers().set(HttpHeaderNames.CONTENT_LENGTH, response.content().readableBytes());
            if (keepAlive) {