Struts 2 远程代码执行漏洞加固方法

加固方式如下：

    通过判断Content-Type头是否为白名单类型，来限制非法Content-Type的攻击。

加固代码：

import java.io.IOException;import javax.servlet.Filter;import javax.servlet.FilterChain;import javax.servlet.FilterConfig;import javax.servlet.ServletException;import javax.servlet.ServletRequest;import javax.servlet.ServletResponse;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;  public class SecurityFilter extends HttpServlet implements Filter {     /**     *     */    private static final long serialVersionUID = 1L;          public final String www_url_encode= "application/x-www-form-urlencoded";    public final String mul_data= "multipart/form-data ";    public final String txt_pla= "text/plain";     public void doFilter(ServletRequest arg0, ServletResponse arg1,            FilterChain arg2) throws IOException, ServletException {         HttpServletRequest request = (HttpServletRequest) arg0;        HttpServletResponse response = (HttpServletResponse) arg1;               String contenType=request.getHeader("conTent-type");               if(contenType!=null&&!contenType.equals("")&&!contenType.equalsIgnoreCase(www_url_encode)&&!contenType.equalsIgnoreCase(mul_data)&&!contenType.equalsIgnoreCase(txt_pla)){                       response.setContentType("text/html;charset=UTF-8");            response.getWriter().write("非法请求Content-Type！");            return;        }        arg2.doFilter(request, response);    }     public void init(FilterConfig arg0) throws ServletException {     } }

 

1. 将Java编译以后的“SecurityFilter.class”（SecurityFilter.java是源代码文件）复制到应用的WEB-INF/classes目录下。

2. 配置Filter

将下面的代码加入WEB-INF/web.xml文件中。

<filter>    <filter-name>SecurityFilter</filter-name>    <filter-class>SecurityFilter</filter-class>  </filter><filter-mapping>    <filter-name>SecurityFilter</filter-name>    <url-pattern>/*</url-pattern></filter-mapping>

/*代表拦截所有请求，进行攻击代码检查，*.action只检查.action结尾的请求。

示例：

3. 重启应用即可