From 524ad4e6ddc04f2f0cfacb33f42c2f022629bbbb Mon Sep 17 00:00:00 2001
From: abbfun <819589789@qq.com>
Date: 星期一, 23 五月 2022 15:36:18 +0800
Subject: [PATCH] fastjson 版本升级 fastjson <= 1.2.80 存在反序列化任意代码执行漏洞
---
ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java | 22 ++++++++++++++--------
1 files changed, 14 insertions(+), 8 deletions(-)
diff --git a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
index 6cfbfb8..60d9de0 100644
--- a/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
+++ b/ruoyi-admin/src/main/java/com/ruoyi/web/controller/system/SysUserController.java
@@ -2,6 +2,7 @@
import java.util.List;
import java.util.stream.Collectors;
+import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.prepost.PreAuthorize;
@@ -62,12 +63,12 @@
@Log(title = "鐢ㄦ埛绠$悊", businessType = BusinessType.EXPORT)
@PreAuthorize("@ss.hasPermi('system:user:export')")
- @GetMapping("/export")
- public AjaxResult export(SysUser user)
+ @PostMapping("/export")
+ public void export(HttpServletResponse response, SysUser user)
{
List<SysUser> list = userService.selectUserList(user);
ExcelUtil<SysUser> util = new ExcelUtil<SysUser>(SysUser.class);
- return util.exportExcel(list, "鐢ㄦ埛鏁版嵁");
+ util.exportExcel(response, list, "鐢ㄦ埛鏁版嵁");
}
@Log(title = "鐢ㄦ埛绠$悊", businessType = BusinessType.IMPORT)
@@ -82,11 +83,11 @@
return AjaxResult.success(message);
}
- @GetMapping("/importTemplate")
- public AjaxResult importTemplate()
+ @PostMapping("/importTemplate")
+ public void importTemplate(HttpServletResponse response)
{
ExcelUtil<SysUser> util = new ExcelUtil<SysUser>(SysUser.class);
- return util.importTemplateExcel("鐢ㄦ埛鏁版嵁");
+ util.importTemplateExcel(response, "鐢ㄦ埛鏁版嵁");
}
/**
@@ -103,9 +104,10 @@
ajax.put("posts", postService.selectPostAll());
if (StringUtils.isNotNull(userId))
{
- ajax.put(AjaxResult.DATA_TAG, userService.selectUserById(userId));
+ SysUser sysUser = userService.selectUserById(userId);
+ ajax.put(AjaxResult.DATA_TAG, sysUser);
ajax.put("postIds", postService.selectPostListByUserId(userId));
- ajax.put("roleIds", roleService.selectRoleListByUserId(userId));
+ ajax.put("roleIds", sysUser.getRoles().stream().map(SysRole::getRoleId).collect(Collectors.toList()));
}
return ajax;
}
@@ -146,6 +148,7 @@
public AjaxResult edit(@Validated @RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
if (StringUtils.isNotEmpty(user.getPhonenumber())
&& UserConstants.NOT_UNIQUE.equals(userService.checkPhoneUnique(user)))
{
@@ -184,6 +187,7 @@
public AjaxResult resetPwd(@RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
user.setPassword(SecurityUtils.encryptPassword(user.getPassword()));
user.setUpdateBy(getUsername());
return toAjax(userService.resetPwd(user));
@@ -198,6 +202,7 @@
public AjaxResult changeStatus(@RequestBody SysUser user)
{
userService.checkUserAllowed(user);
+ userService.checkUserDataScope(user.getUserId());
user.setUpdateBy(getUsername());
return toAjax(userService.updateUserStatus(user));
}
@@ -225,6 +230,7 @@
@PutMapping("/authRole")
public AjaxResult insertAuthRole(Long userId, Long[] roleIds)
{
+ userService.checkUserDataScope(userId);
userService.insertUserAuth(userId, roleIds);
return success();
}
--
Gitblit v1.9.3