From f6996326de0f348a0b863a722553b93e8dc92a8a Mon Sep 17 00:00:00 2001 From: Apex Liu Date: Mon, 26 Nov 2018 17:40:48 +0800 Subject: [PATCH] =?UTF-8?q?=E6=A3=80=E6=9F=A5=E7=94=A8=E6=88=B7=E5=90=8D?= =?UTF-8?q?=E5=90=88=E6=B3=95=E6=80=A7=EF=BC=8C=E9=98=B2=E6=AD=A2SQL?= =?UTF-8?q?=E6=B3=A8=E5=85=A5=E6=94=BB=E5=87=BB?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../www/teleport/webroot/app/controller/auth.py | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/server/www/teleport/webroot/app/controller/auth.py b/server/www/teleport/webroot/app/controller/auth.py index 6798977..91c2416 100644 --- a/server/www/teleport/webroot/app/controller/auth.py +++ b/server/www/teleport/webroot/app/controller/auth.py @@ -107,15 +107,20 @@ class DoLoginHandler(TPBaseJsonHandler): ]: oath = None + # 检查用户名合法性,防止SQL注入攻击 + if '<' in username or '>' in username: + username = username.replace('<', '<') + username = username.replace('>', '>') + err = TPE_USER_AUTH + syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,可能是攻击行为。试图使用用户名 {} 进行登录。'.format(username)) + return self.write_json(err) + err, user_info = user.login(self, username, password=password, oath_code=oath) if err != TPE_OK: if err == TPE_NOT_EXISTS: err = TPE_USER_AUTH - syslog.sys_log({'username': username, 'surname': username}, self.request.remote_ip, TPE_NOT_EXISTS, - '登录失败,用户`{}`不存在'.format(username)) - return self.write_json(err) - elif err == TPE_PRIVILEGE: - return self.write_json(err, '尚未分配角色,请联系管理员') + syslog.sys_log({'username': '???', 'surname': '???'}, self.request.remote_ip, TPE_NOT_EXISTS, '登录失败,用户`{}`不存在'.format(username)) + return self.write_json(err) # 判断此用户是否被允许使用当前登录认证方式 auth_type = user_info.auth_type