2020-09-18 19:05

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Cache-Control: no-cache
< Set-Cookie: JSESSIONID=4-YBgJ5YFXMSSVkquALBZ1m3lMO9L-ynaPGJ601D; path=/
< Server: JFinal
< Pragma: no-cache
< Date: Fri, 18 Sep 2020 08:45:44 GMT
< Connection: keep-alive
< Transfer-Encoding: chunked
< Content-Type: image/jpeg
<
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: " to save to a file.
* Failed writing body (0 != 1365)
* Failed writing data
* Closing connection 0

↓修改后↓

C:\WINDOWS\system32>curl -v -X TRACE http://localhost/check/captcha
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 80 (#0)
> TRACE /check/captcha HTTP/1.1
> Host: localhost
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 405 Method Not Allowed
< Connection: keep-alive
< Server: JFinal
< Content-Length: 0
< Date: Fri, 18 Sep 2020 09:05:24 GMT
<
* Connection #0 to host localhost left intact

2020-09-18 19:05

@JFinal 成功了!!詹总牛逼!在undertow.start();前加入如下代码

undertow.onDeploy((classLoader, deploymentInfo) -> {
deploymentInfo.addInitialHandlerChainWrapper(new HandlerWrapper() {

@Override
public HttpHandler wrap(HttpHandler handler) {
HttpString[] disallowedHttpMethods = { HttpString.tryFromString("TRACE"),
HttpString.tryFromString("TRACK") };
return new DisallowedMethodsHandler(handler, disallowedHttpMethods);
}
});
});

2020-09-18 17:10

在看这个帖子,貌似有思路https://blog.csdn.net/nklinsirui/article/details/108540403

2020-09-18 16:36

@JFinal 请问这个HTTP TRACE怎么关闭

2020-09-16 15:43

@JFinal 破案了。因为疏忽,undertow.txt的undertow.resourcePath设置了WebRoot, /, classpath:static 。问题就是这个/造成的,耽误大家时间了

2020-09-16 14:30

@JFinal @Max_Qiu 确实,得重现问题,我们才好找到解决问题的方向,还有检验问题最后是否解决。除了我们公司交付以外,还有另外几个系统一同验收,他们用的是别的框架,现在验收方表示别的系统都没有这些问题,只有我们系统有这个报告。看到楼上说可能跟系统用户权限有关,我们先试着顺着在这个方向上看看怎么解决

2020-09-16 11:24

老哥,我也这边也有类似的漏洞报告,有解决办法吗

2020-08-31 11:01

感觉评论板不开富文本编辑器主要就是因为图片问题,一方面,影响评论的排版体验,一方面就是可能会导致图片存储激增

2020-06-29 15:12

好东西!!感谢分享

2020-02-23 16:49

你在下载东西,迅雷或者bt

2020-01-07 10:54

资源地址后面加个?t=20200107(每次文件更新变化都改)

2019-12-25 11:31

https://jfinal.com/doc/2-7

2019-12-16 15:02

xxxxx where id>lastId order by id asc limit pageSize 不就好了?