HTTP TRACE&TRACK漏洞修复

11 months ago · 2102c9e7a5
parent e5d26ba277
commit 2102c9e7a5
2 changed files with 69 additions and 51 deletions
--- a/xxl-job-core/src/main/java/com/xxl/job/core/biz/model/ReturnT.java
+++ b/xxl-job-core/src/main/java/com/xxl/job/core/biz/model/ReturnT.java
@ -4,14 +4,16 @@ import java.io.Serializable;
 /**
 * common return
- * @author xuxueli 2015-12-4 16:32:31
+ *
 * @param <T>
 * @author xuxueli 2015-12-4 16:32:31
 */
 public class ReturnT<T> implements Serializable {
    public static final long serialVersionUID = 42L;
    public static final int SUCCESS_CODE = 200;
    public static final int FAIL_CODE = 500;
    public static final int METHOD_NOT_ALLOWED = 405;
    public static final ReturnT<String> SUCCESS = new ReturnT<String>(null);
    public static final ReturnT<String> FAIL = new ReturnT<String>(FAIL_CODE, null);
@ -20,11 +22,14 @@ public class ReturnT<T> implements Serializable {
    private String msg;
    private T content;
-	public ReturnT(){}
+    public ReturnT() {
    }
    public ReturnT(int code, String msg) {
        this.code = code;
        this.msg = msg;
    }
    public ReturnT(T content) {
        this.code = SUCCESS_CODE;
        this.content = content;
@ -33,18 +38,23 @@ public class ReturnT<T> implements Serializable {
    public int getCode() {
        return code;
    }
    public void setCode(int code) {
        this.code = code;
    }
    public String getMsg() {
        return msg;
    }
    public void setMsg(String msg) {
        this.msg = msg;
    }
    public T getContent() {
        return content;
    }
    public void setContent(T content) {
        this.content = content;
    }
--- a/xxl-job-core/src/main/java/com/xxl/job/core/server/EmbedServer.java
+++ b/xxl-job-core/src/main/java/com/xxl/job/core/server/EmbedServer.java
@ -156,16 +156,24 @@ public class EmbedServer {
                public void run() {
                    // do invoke
                    Object responseObj = process(httpMethod, uri, requestData, accessTokenReq);
-
+                    HttpResponseStatus status = resolveHttpStatus(responseObj);
                    // to json
                    String responseJson = GsonTool.toJson(responseObj);
                    // write response
-                    writeResponse(ctx, keepAlive, responseJson);
+                    writeResponse(ctx, keepAlive, status, responseJson);
                }
            });
        }
        private HttpResponseStatus resolveHttpStatus(Object responseObj) {
            if (responseObj instanceof ReturnT) {
                ReturnT returnT = (ReturnT) responseObj;
                return returnT.getCode() == ReturnT.METHOD_NOT_ALLOWED ? HttpResponseStatus.METHOD_NOT_ALLOWED : HttpResponseStatus.OK;
            } else {
                return HttpResponseStatus.OK;
            }
        }
        private Object process(HttpMethod httpMethod, String uri, String requestData, String accessTokenReq) {
            // valid
            if (HttpMethod.POST != httpMethod) {
@ -209,9 +217,9 @@ public class EmbedServer {
        /**
         * write response
         */
-        private void writeResponse(ChannelHandlerContext ctx, boolean keepAlive, String responseJson) {
+        private void writeResponse(ChannelHandlerContext ctx, boolean keepAlive, HttpResponseStatus status, String responseJson) {
            // write response
-            FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, HttpResponseStatus.OK, Unpooled.copiedBuffer(responseJson, CharsetUtil.UTF_8));   //  Unpooled.wrappedBuffer(responseJson)
+            FullHttpResponse response = new DefaultFullHttpResponse(HttpVersion.HTTP_1_1, status, Unpooled.copiedBuffer(responseJson, CharsetUtil.UTF_8));   //  Unpooled.wrappedBuffer(responseJson)
            response.headers().set(HttpHeaderNames.CONTENT_TYPE, "text/html;charset=UTF-8");       // HttpHeaderValues.TEXT_PLAIN.toString()
            response.headers().set(HttpHeaderNames.CONTENT_LENGTH, response.content().readableBytes());
            if (keepAlive) {