修复CVE-2022-22885，HttpGlobalConfig可选关闭信任host

2025-04-05 17:37:59 +08:00 · 2024-03-12 10:29:38 +08:00 · 2024-03-12 10:29:38 +08:00 · f15612cd55
commit f15612cd55
parent f2e154f5b5
3 changed files with 28 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,7 +2,7 @@
 # 🚀Changelog

 -------------------------------------------------------------------------------------------------------------
-# 5.8.27(2024-03-11)
+# 5.8.27(2024-03-12)

 ### 🐣新特性
 * 【extra 】      FreemarkerEngine修改默认版本参数
@ -14,6 +14,7 @@
 ### 🐞Bug修复
 * 【core  】      修复PathMover对目标已存在且只读文件报错错误问题（issue#I95CLT@Gitee）
 * 【json  】      修复JSONUtil序列化和反序列化预期的结果不一致问题（pr#3507@Github）
+* 【http  】      修复CVE-2022-22885，HttpGlobalConfig可选关闭信任host（issue#2042@Github）

 -------------------------------------------------------------------------------------------------------------
 # 5.8.26(2024-02-10)
--- a/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpConnection.java
@ -276,7 +276,10 @@ public class HttpConnection {
 			// Https请求
 			final HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
 			// 验证域
-			httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier, DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER));
+			httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier,
+				// CVE-2022-22885 https://github.com/dromara/hutool/issues/2042
+				// 增加全局变量可选是否不验证host
+				HttpGlobalConfig.isTrustAnyHost() ? DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER : HttpsURLConnection.getDefaultHostnameVerifier()));
 			httpsConn.setSSLSocketFactory(ObjectUtil.defaultIfNull(ssf, DefaultSSLInfo.DEFAULT_SSF));
 		}

--- a/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
+++ b/hutool-http/src/main/java/cn/hutool/http/HttpGlobalConfig.java
@ -33,6 +33,7 @@ public class HttpGlobalConfig implements Serializable {
 	private static int maxRedirectCount = 0;
 	private static boolean ignoreEOFError = true;
 	private static boolean decodeUrl = false;
+	private static boolean trustAnyHost = true;

 	/**
 	 * 获取全局默认的超时时长
@ -199,7 +200,7 @@ public class HttpGlobalConfig implements Serializable {
 		// 去除final修饰
 		ReflectUtil.removeFinalModify(methodsField);
 		final String[] methods = {
-				"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
+			"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
 		};
 		ReflectUtil.setFieldValue(null, methodsField, methods);

@ -211,4 +212,24 @@ public class HttpGlobalConfig implements Serializable {

 		isAllowPatch = true;
 	}
+
+	/**
+	 * 是否信任所有Host
+	 * @return 是否信任所有Host
+	 * @since 5.8.27
+	 */
+	public static boolean isTrustAnyHost(){
+		return trustAnyHost;
+	}
+
+	/**
+	 * 是否信任所有Host<br>
+	 * 见：https://github.com/dromara/hutool/issues/2042<br>
+	 *
+	 * @param customTrustAnyHost 如果设置为{@code false}，则按照JDK默认验证机制，验证目标服务器的证书host和请求host是否一致，{@code true}表示不验证。
+	 * @since 5.8.27
+	 */
+	public static void setTrustAnyHost(boolean customTrustAnyHost) {
+		trustAnyHost = customTrustAnyHost;
+	}
 }