From 3478e8f7bce8254df1d571115f7f0a79f38b0df6 Mon Sep 17 00:00:00 2001 From: kezhijie Date: Wed, 30 Aug 2023 11:38:47 +0800 Subject: [PATCH] issue#5295 issue#5296 issue#5255 --- .../java/org/jeecg/common/util/SqlInjectionUtil.java | 2 +- .../modules/system/controller/LoginController.java | 4 ++-- .../org/jeecg/modules/system/util/RandImageUtil.java | 10 +++++++++- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java index 1537609f..9d84762b 100644 --- a/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java +++ b/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java @@ -33,7 +33,7 @@ public class SqlInjectionUtil { /** * sleep函数 */ - private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\([\\d\\.]*\\)", Pattern.CASE_INSENSITIVE); + private final static Pattern FUN_SLEEP = Pattern.compile("sleep\\(.*\\)", Pattern.CASE_INSENSITIVE); /** * sql注释的正则 diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java index e9a5febc..074b81fe 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/LoginController.java @@ -727,8 +727,8 @@ public class LoginController { if(failTime!=null){ val = Integer.parseInt(failTime.toString()); } - // 1小时 - redisUtil.set(key, ++val, 3600); + // 10分钟 + redisUtil.set(key, ++val, 600); } } \ No newline at end of file diff --git a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/util/RandImageUtil.java b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/util/RandImageUtil.java index 3311d68d..0be039ea 100644 --- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/util/RandImageUtil.java +++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/util/RandImageUtil.java @@ -6,6 +6,8 @@ import java.awt.*; import java.awt.image.BufferedImage; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Base64; import java.util.Random; @@ -96,7 +98,13 @@ public class RandImageUtil { // graphics.setColor(getRandColor(100, 200)); // ---2 graphics.drawRect(0, 0, WIDTH - 1, HEIGHT - 1); - final Random random = new Random(); + // SHA1PRNG是-种常用的随机数生成算法,处理弱随机数问题 + SecureRandom random; + try { + random = SecureRandom.getInstance("SHA1PRNG"); + } catch (NoSuchAlgorithmException e) { + random = new SecureRandom(); + } // 随机产生干扰线,使图象中的认证码不易被其它程序探测到 for (int i = 0; i < COUNT; i++) { // ---3