From 3347ca4d7484d9141b189462e169b2be4d324632 Mon Sep 17 00:00:00 2001
From: 江强 <jiangq@powerlbs.com>
Date: 星期二, 27 七月 2021 09:33:12 +0800
Subject: [PATCH] fix:Issue #I42GRW 修复任意账户越权漏洞
---
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysMenuController.java | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)
diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysMenuController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysMenuController.java
index 4c7b7c0..eb66ea3 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysMenuController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysMenuController.java
@@ -13,7 +13,6 @@
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import com.ruoyi.common.annotation.Log;
-import com.ruoyi.common.constant.Constants;
import com.ruoyi.common.constant.UserConstants;
import com.ruoyi.common.core.controller.BaseController;
import com.ruoyi.common.core.domain.AjaxResult;
@@ -102,8 +101,7 @@
{
return AjaxResult.error("新增菜单'" + menu.getMenuName() + "'失败,菜单名称已存在");
}
- else if (UserConstants.YES_FRAME.equals(menu.getIsFrame())
- && !StringUtils.startsWithAny(menu.getPath(), Constants.HTTP, Constants.HTTPS))
+ else if (UserConstants.YES_FRAME.equals(menu.getIsFrame()) && !StringUtils.ishttp(menu.getPath()))
{
return AjaxResult.error("新增菜单'" + menu.getMenuName() + "'失败,地址必须以http(s)://开头");
}
@@ -123,8 +121,7 @@
{
return AjaxResult.error("修改菜单'" + menu.getMenuName() + "'失败,菜单名称已存在");
}
- else if (UserConstants.YES_FRAME.equals(menu.getIsFrame())
- && !StringUtils.startsWithAny(menu.getPath(), Constants.HTTP, Constants.HTTPS))
+ else if (UserConstants.YES_FRAME.equals(menu.getIsFrame()) && !StringUtils.ishttp(menu.getPath()))
{
return AjaxResult.error("修改菜单'" + menu.getMenuName() + "'失败,地址必须以http(s)://开头");
}
--
Gitblit v1.9.2