我有一个减轻MVC应用程序中主机头注入的任务。除此之外,我想通过创建一个HTTP模块来实现白名单检查。
到目前为止,我正在使用这样的东西:
web.config条目:
<system.webServer><modules><add name="TestHttpModule" type="MVC5TestApp.MyHttpModule, MVC5TestApp" /></modules></system.webServer>
字符串
HTTP模块类:
public class MyHttpModule: IHttpModule{public MyHttpModule() {}public void Init(HttpApplication application){application.BeginRequest += new EventHandler(this.context_BeginRequest);application.EndRequest += new EventHandler(this.context_EndRequest);}public void context_BeginRequest(object sender, EventArgs e){CheckForHostHeaderInjection();}public void context_EndRequest(object sender, EventArgs e){// some code}public void Dispose() {}private void CheckForHostHeaderInjection(){// Currently, I am just comparing the following two ServerVariables.// I will add a method to compare "HTTP_HOST" value against a whitelist later.var httpHost = HttpContext.Current.Request.ServerVariables["HTTP_HOST"];var serverName = HttpContext.Current.Request.ServerVariables["SERVER_NAME"];if (!string.Equals(httpHost, serverName)){// What do I do in order to send back to the client a 400 Bad Request??}}}
型
1条答案
按热度按时间n9vozmp41#
对于MVC,更简洁的解决方案是实现一个
IActionFilter来执行验证。在OnActionExecuting中,您可以执行头部检查并强制响应(HTTP 400),以短路请求流的其余部分。您的
OnActionExecuting实现将如下所示。字符串
请访问https://learn.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/controllers-and-routing/understanding-action-filters-cs#understanding-action-filters