Skip to content

anonymous /gist:0045ef4df99b31b43daa
Created

Embed URL

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Improved workaround for struts exploit
public class ParamFilter implements Filter {
private Pattern pattern;
@Override
public void init(FilterConfig filterConfig) throws ServletException {
pattern = Pattern.compile(filterConfig.getInitParameter("excludeParams"));
}
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
chain.doFilter(new ParamFilteredRequest(request, pattern), response);
}
@Override
public void destroy() {
}
/** */
private static class ParamFilteredRequest extends HttpServletRequestWrapper {
private final Pattern pattern;
public ParamFilteredRequest(ServletRequest request, Pattern pattern) {
super((HttpServletRequest)request);
this.pattern = pattern;
}
@Override
public Enumeration<String> getParameterNames() {
List<String> requestParameterNames = Collections.list(super.getParameterNames());
List<String> finalParameterNames = new ArrayList<>();
for (String parameterName: requestParameterNames) {
if (!pattern.matcher(parameterName).matches()) {
finalParameterNames.add(parameterName);
}
}
return Collections.enumeration(finalParameterNames);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.