mirror of
https://gitee.com/dromara/hutool.git
synced 2025-04-05 17:37:59 +08:00
修复CVE-2022-22885,HttpGlobalConfig可选关闭信任host
This commit is contained in:
parent
f2e154f5b5
commit
f15612cd55
@ -2,7 +2,7 @@
|
||||
# 🚀Changelog
|
||||
|
||||
-------------------------------------------------------------------------------------------------------------
|
||||
# 5.8.27(2024-03-11)
|
||||
# 5.8.27(2024-03-12)
|
||||
|
||||
### 🐣新特性
|
||||
* 【extra 】 FreemarkerEngine修改默认版本参数
|
||||
@ -14,6 +14,7 @@
|
||||
### 🐞Bug修复
|
||||
* 【core 】 修复PathMover对目标已存在且只读文件报错错误问题(issue#I95CLT@Gitee)
|
||||
* 【json 】 修复JSONUtil序列化和反序列化预期的结果不一致问题(pr#3507@Github)
|
||||
* 【http 】 修复CVE-2022-22885,HttpGlobalConfig可选关闭信任host(issue#2042@Github)
|
||||
|
||||
-------------------------------------------------------------------------------------------------------------
|
||||
# 5.8.26(2024-02-10)
|
||||
|
@ -276,7 +276,10 @@ public class HttpConnection {
|
||||
// Https请求
|
||||
final HttpsURLConnection httpsConn = (HttpsURLConnection) conn;
|
||||
// 验证域
|
||||
httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier, DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER));
|
||||
httpsConn.setHostnameVerifier(ObjectUtil.defaultIfNull(hostnameVerifier,
|
||||
// CVE-2022-22885 https://github.com/dromara/hutool/issues/2042
|
||||
// 增加全局变量可选是否不验证host
|
||||
HttpGlobalConfig.isTrustAnyHost() ? DefaultSSLInfo.TRUST_ANY_HOSTNAME_VERIFIER : HttpsURLConnection.getDefaultHostnameVerifier()));
|
||||
httpsConn.setSSLSocketFactory(ObjectUtil.defaultIfNull(ssf, DefaultSSLInfo.DEFAULT_SSF));
|
||||
}
|
||||
|
||||
|
@ -33,6 +33,7 @@ public class HttpGlobalConfig implements Serializable {
|
||||
private static int maxRedirectCount = 0;
|
||||
private static boolean ignoreEOFError = true;
|
||||
private static boolean decodeUrl = false;
|
||||
private static boolean trustAnyHost = true;
|
||||
|
||||
/**
|
||||
* 获取全局默认的超时时长
|
||||
@ -199,7 +200,7 @@ public class HttpGlobalConfig implements Serializable {
|
||||
// 去除final修饰
|
||||
ReflectUtil.removeFinalModify(methodsField);
|
||||
final String[] methods = {
|
||||
"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
|
||||
"GET", "POST", "HEAD", "OPTIONS", "PUT", "DELETE", "TRACE", "PATCH"
|
||||
};
|
||||
ReflectUtil.setFieldValue(null, methodsField, methods);
|
||||
|
||||
@ -211,4 +212,24 @@ public class HttpGlobalConfig implements Serializable {
|
||||
|
||||
isAllowPatch = true;
|
||||
}
|
||||
|
||||
/**
|
||||
* 是否信任所有Host
|
||||
* @return 是否信任所有Host
|
||||
* @since 5.8.27
|
||||
*/
|
||||
public static boolean isTrustAnyHost(){
|
||||
return trustAnyHost;
|
||||
}
|
||||
|
||||
/**
|
||||
* 是否信任所有Host<br>
|
||||
* 见:https://github.com/dromara/hutool/issues/2042<br>
|
||||
*
|
||||
* @param customTrustAnyHost 如果设置为{@code false},则按照JDK默认验证机制,验证目标服务器的证书host和请求host是否一致,{@code true}表示不验证。
|
||||
* @since 5.8.27
|
||||
*/
|
||||
public static void setTrustAnyHost(boolean customTrustAnyHost) {
|
||||
trustAnyHost = customTrustAnyHost;
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user