From 0bc7e0967d6c1005af0e0e5a54707240325a7d00 Mon Sep 17 00:00:00 2001 From: zhangdaiscott Date: Mon, 14 Aug 2023 10:01:49 +0800 Subject: [PATCH] =?UTF-8?q?=E3=80=90issues/4393=E3=80=91=E8=A7=A3=E5=86=B3?= =?UTF-8?q?=E4=BD=BF=E7=94=A8=E5=8F=82=E6=95=B0tableName=3Dsys=5Fuser=20t&?= =?UTF-8?q?=E5=A4=8D=E6=B5=8B=EF=BC=8C=E6=BC=8F=E6=B4=9E=E4=BB=8D=E7=84=B6?= =?UTF-8?q?=E5=AD=98=E5=9C=A8?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../system/security/DictQueryBlackListHandler.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java index 5d120c83..ebfc1c7d 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java @@ -1,6 +1,5 @@ package org.jeecg.modules.system.security; -import org.jeecg.common.constant.CommonConstant; import org.jeecg.common.constant.SymbolConstant; import org.jeecg.common.util.oConvertUtils; import org.jeecg.common.util.security.AbstractQueryBlackListHandler; @@ -52,9 +51,14 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler { */ private String getTableName(String str) { String[] arr = str.split("\\s+(?i)where\\s+"); - // sys_user , (sys_user), sys_user%20, %60sys_user%60 issues/4393 + String tableName = arr[0]; + //【20230814】解决使用参数tableName=sys_user t&复测,漏洞仍然存在 + if (tableName.contains(" ")) { + tableName = tableName.substring(0, tableName.indexOf(" ")); + } + //【issues/4393】 sys_user , (sys_user), sys_user%20, %60sys_user%60 String reg = "\\s+|\\(|\\)|`"; - return arr[0].replaceAll(reg, ""); + return tableName.replaceAll(reg, ""); } }