本文主要是介绍Struts2 S2-045 漏洞触发流程不严谨推测,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
// 根据 已有的一些信息和修复版本的代码,推测应该是如下的触发流程
// 因为没有测试环境,也只是不严谨的代码触发流程推测,不保证正确性,欢迎大神交流分享。//core\src\main\java\org\apache\struts2\dispatcher\multipart\JakartaMultiPartRequest.java
public void parse(HttpServletRequest request, String saveDir) throws IOException
{try{setLocale(request);processUpload(request, saveDir); // 调用 1}catch (FileUploadBase.SizeLimitExceededException e){if (LOG.isWarnEnabled()){LOG.warn("Request exceeded size limit!", e);}String errorMessage = buildErrorMessage(e, new Object[] {e.getPermittedSize(), e.getActualSize()});if (!errors.contains(errorMessage)){errors.add(errorMessage);}}catch (Exception e) // 调用 7 捕获异常{if (LOG.isWarnEnabled()){LOG.warn("Unable to parse request", e);}String errorMessage = buildErrorMessage(e, new Object[] {}); //调用 8if (!errors.contains(errorMessage)){errors.add(errorMessage);}}
}protected String buildErrorMessage(Throwable e, Object[] args)
{String errorKey = "struts.messages.upload.error." + e.getClass().getSimpleName();if (LOG.isDebugEnabled()){LOG.debug("Preparing error message for key: [#0]", errorKey);}return LocalizedTextUtil.findText(this.getClass(), errorKey, defaultLocale, e.getMessage(), args);// 调用9,触发// 因为 args 为空,使用默认的 e.getMessage() 为 "the request doesn't contain a multipart/form-data or multipart/mixed stream, content type header is" + content-type// If a message is found, it will also be interpolated. Anything within ${...} will be treated as an OGNL expression and evaluated as such.// 故执行了http 请求头content-type 中的{}内部引入的指令
// refer这篇关于Struts2 S2-045 漏洞触发流程不严谨推测的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
