【issues/4393】解决使用参数tableName=sys_user t&复测，漏洞仍然存在

2025-12-26 08:16:41 +08:00 · 2023-08-14 12:51:31 +08:00
parent c514185279
commit 722d2229de
2 changed files with 15 additions and 11 deletions
--- a/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
+++ b/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/security/DictQueryBlackListHandler.java
@ -56,6 +56,9 @@ public class DictQueryBlackListHandler extends AbstractQueryBlackListHandler {
        if (tableName.contains(" ")) {
            tableName = tableName.substring(0, tableName.indexOf(" "));
        }
+        if (tableName.contains(".")) {
+            tableName = tableName.substring(tableName.indexOf(".")+1, tableName.length());
+        }
        //【issues/4393】 sys_user , (sys_user), sys_user%20, %60sys_user%60
        String reg = "\\s+|\\(|\\)|`";
        return tableName.replaceAll(reg, "");